{"description":"SecretStoreList is a list of SecretStore","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of secretstores. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.v1alpha1.SecretStore"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"SecretStoreList","version":"v1alpha1"}],"title":"SecretStoreList (external-secrets.io/v1alpha1)","definitions":{"aws.k8s.elbv2.v1alpha1.TargetGroupBinding":{"description":"TargetGroupBinding is the Schema for the TargetGroupBinding API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"TargetGroupBindingSpec defines the desired state of TargetGroupBinding","type":"object","required":["serviceRef","targetGroupARN"],"properties":{"networking":{"description":"networking provides the networking setup for ELBV2 LoadBalancer to access targets in TargetGroup.","type":"object","properties":{"ingress":{"description":"List of ingress rules to allow ELBV2 LoadBalancer to access targets in TargetGroup.","type":"array","items":{"type":"object","required":["from","ports"],"properties":{"from":{"description":"List of peers which should be able to access the targets in TargetGroup. At least one NetworkingPeer should be specified.","type":"array","items":{"description":"NetworkingPeer defines the source/destination peer for networking rules.","type":"object","properties":{"ipBlock":{"description":"IPBlock defines an IPBlock peer. If specified, none of the other fields can be set.","type":"object","required":["cidr"],"properties":{"cidr":{"description":"CIDR is the network CIDR. Both IPV4 or IPV6 CIDR are accepted.","type":"string"}}},"securityGroup":{"description":"SecurityGroup defines a SecurityGroup peer. If specified, none of the other fields can be set.","type":"object","required":["groupID"],"properties":{"groupID":{"description":"GroupID is the EC2 SecurityGroupID.","type":"string"}}}}}},"ports":{"description":"List of ports which should be made accessible on the targets in TargetGroup. If ports is empty or unspecified, it defaults to all ports with TCP.","type":"array","items":{"type":"object","properties":{"port":{"description":"The port which traffic must match. When NodePort endpoints(instance TargetType) is used, this must be a numerical port. When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods. if port is unspecified, it defaults to all ports.","x-kubernetes-int-or-string":true},"protocol":{"description":"The protocol which traffic must match. If protocol is unspecified, it defaults to TCP.","type":"string","enum":["TCP","UDP"]}}}}}}}}},"serviceRef":{"description":"serviceRef is a reference to a Kubernetes Service and ServicePort.","type":"object","required":["name","port"],"properties":{"name":{"description":"Name is the name of the Service.","type":"string"},"port":{"description":"Port is the port of the ServicePort.","x-kubernetes-int-or-string":true}}},"targetGroupARN":{"description":"targetGroupARN is the Amazon Resource Name (ARN) for the TargetGroup.","type":"string"},"targetType":{"description":"targetType is the TargetType of TargetGroup. If unspecified, it will be automatically inferred.","type":"string","enum":["instance","ip"]}}},"status":{"description":"TargetGroupBindingStatus defines the observed state of TargetGroupBinding","type":"object","properties":{"observedGeneration":{"description":"The generation observed by the TargetGroupBinding controller.","type":"integer","format":"int64"}}}},"x-kubernetes-group-version-kind":[{"group":"elbv2.k8s.aws","kind":"TargetGroupBinding","version":"v1alpha1"}],"title":"aws.k8s.elbv2.v1alpha1.TargetGroupBinding"},"aws.k8s.elbv2.v1alpha1.TargetGroupBindingList":{"description":"TargetGroupBindingList is a list of TargetGroupBinding","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of targetgroupbindings. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.elbv2.v1alpha1.TargetGroupBinding"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"elbv2.k8s.aws","kind":"TargetGroupBindingList","version":"v1alpha1"}],"title":"aws.k8s.elbv2.v1alpha1.TargetGroupBindingList"},"aws.k8s.elbv2.v1beta1.IngressClassParams":{"description":"IngressClassParams is the Schema for the IngressClassParams API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"IngressClassParamsSpec defines the desired state of IngressClassParams","type":"object","properties":{"group":{"description":"Group defines the IngressGroup for all Ingresses that belong to IngressClass with this IngressClassParams.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the name of IngressGroup.","type":"string"}}},"inboundCIDRs":{"description":"InboundCIDRs specifies the CIDRs that are allowed to access the Ingresses that belong to IngressClass with this IngressClassParams.","type":"array","items":{"type":"string"}},"ipAddressType":{"description":"IPAddressType defines the ip address type for all Ingresses that belong to IngressClass with this IngressClassParams.","type":"string","enum":["ipv4","dualstack"]},"loadBalancerAttributes":{"description":"LoadBalancerAttributes define the custom attributes to LoadBalancers for all Ingress that that belong to IngressClass with this IngressClassParams.","type":"array","items":{"description":"Attributes defines custom attributes on resources.","type":"object","required":["key","value"],"properties":{"key":{"description":"The key of the attribute.","type":"string"},"value":{"description":"The value of the attribute.","type":"string"}}}},"namespaceSelector":{"description":"NamespaceSelector restrict the namespaces of Ingresses that are allowed to specify the IngressClass with this IngressClassParams. * if absent or present but empty, it selects all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"scheme":{"description":"Scheme defines the scheme for all Ingresses that belong to IngressClass with this IngressClassParams.","type":"string","enum":["internal","internet-facing"]},"sslPolicy":{"description":"SSLPolicy specifies the SSL Policy for all Ingresses that belong to IngressClass with this IngressClassParams.","type":"string"},"subnets":{"description":"Subnets defines the subnets for all Ingresses that belong to IngressClass with this IngressClassParams.","type":"object","properties":{"ids":{"description":"IDs specify the resource IDs of subnets. Exactly one of this or `tags` must be specified.","type":"array","minItems":1,"items":{"description":"SubnetID specifies a subnet ID.","type":"string","pattern":"subnet-[0-9a-f]+"}},"tags":{"description":"Tags specifies subnets in the load balancer's VPC where each tag specified in the map key contains one of the values in the corresponding value list. Exactly one of this or `ids` must be specified.","type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}}}},"tags":{"description":"Tags defines list of Tags on AWS resources provisioned for Ingresses that belong to IngressClass with this IngressClassParams.","type":"array","items":{"description":"Tag defines a AWS Tag on resources.","type":"object","required":["key","value"],"properties":{"key":{"description":"The key of the tag.","type":"string"},"value":{"description":"The value of the tag.","type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"elbv2.k8s.aws","kind":"IngressClassParams","version":"v1beta1"}],"title":"aws.k8s.elbv2.v1beta1.IngressClassParams"},"aws.k8s.elbv2.v1beta1.IngressClassParamsList":{"description":"IngressClassParamsList is a list of IngressClassParams","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ingressclassparams. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.elbv2.v1beta1.IngressClassParams"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"elbv2.k8s.aws","kind":"IngressClassParamsList","version":"v1beta1"}],"title":"aws.k8s.elbv2.v1beta1.IngressClassParamsList"},"aws.k8s.elbv2.v1beta1.TargetGroupBinding":{"description":"TargetGroupBinding is the Schema for the TargetGroupBinding API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"TargetGroupBindingSpec defines the desired state of TargetGroupBinding","type":"object","required":["serviceRef","targetGroupARN"],"properties":{"ipAddressType":{"description":"ipAddressType specifies whether the target group is of type IPv4 or IPv6. If unspecified, it will be automatically inferred.","type":"string","enum":["ipv4","ipv6"]},"networking":{"description":"networking defines the networking rules to allow ELBV2 LoadBalancer to access targets in TargetGroup.","type":"object","properties":{"ingress":{"description":"List of ingress rules to allow ELBV2 LoadBalancer to access targets in TargetGroup.","type":"array","items":{"description":"NetworkingIngressRule defines a particular set of traffic that is allowed to access TargetGroup's targets.","type":"object","required":["from","ports"],"properties":{"from":{"description":"List of peers which should be able to access the targets in TargetGroup. At least one NetworkingPeer should be specified.","type":"array","items":{"description":"NetworkingPeer defines the source/destination peer for networking rules.","type":"object","properties":{"ipBlock":{"description":"IPBlock defines an IPBlock peer. If specified, none of the other fields can be set.","type":"object","required":["cidr"],"properties":{"cidr":{"description":"CIDR is the network CIDR. Both IPV4 or IPV6 CIDR are accepted.","type":"string"}}},"securityGroup":{"description":"SecurityGroup defines a SecurityGroup peer. If specified, none of the other fields can be set.","type":"object","required":["groupID"],"properties":{"groupID":{"description":"GroupID is the EC2 SecurityGroupID.","type":"string"}}}}}},"ports":{"description":"List of ports which should be made accessible on the targets in TargetGroup. If ports is empty or unspecified, it defaults to all ports with TCP.","type":"array","items":{"description":"NetworkingPort defines the port and protocol for networking rules.","type":"object","properties":{"port":{"description":"The port which traffic must match. When NodePort endpoints(instance TargetType) is used, this must be a numerical port. When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods. if port is unspecified, it defaults to all ports.","x-kubernetes-int-or-string":true},"protocol":{"description":"The protocol which traffic must match. If protocol is unspecified, it defaults to TCP.","type":"string","enum":["TCP","UDP"]}}}}}}}}},"nodeSelector":{"description":"node selector for instance type target groups to only register certain nodes","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"serviceRef":{"description":"serviceRef is a reference to a Kubernetes Service and ServicePort.","type":"object","required":["name","port"],"properties":{"name":{"description":"Name is the name of the Service.","type":"string"},"port":{"description":"Port is the port of the ServicePort.","x-kubernetes-int-or-string":true}}},"targetGroupARN":{"description":"targetGroupARN is the Amazon Resource Name (ARN) for the TargetGroup.","type":"string","minLength":1},"targetType":{"description":"targetType is the TargetType of TargetGroup. If unspecified, it will be automatically inferred.","type":"string","enum":["instance","ip"]}}},"status":{"description":"TargetGroupBindingStatus defines the observed state of TargetGroupBinding","type":"object","properties":{"observedGeneration":{"description":"The generation observed by the TargetGroupBinding controller.","type":"integer","format":"int64"}}}},"x-kubernetes-group-version-kind":[{"group":"elbv2.k8s.aws","kind":"TargetGroupBinding","version":"v1beta1"}],"title":"aws.k8s.elbv2.v1beta1.TargetGroupBinding"},"aws.k8s.elbv2.v1beta1.TargetGroupBindingList":{"description":"TargetGroupBindingList is a list of TargetGroupBinding","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of targetgroupbindings. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.elbv2.v1beta1.TargetGroupBinding"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"elbv2.k8s.aws","kind":"TargetGroupBindingList","version":"v1beta1"}],"title":"aws.k8s.elbv2.v1beta1.TargetGroupBindingList"},"aws.k8s.networking.v1alpha1.ApplicationNetworkPolicy":{"description":"ApplicationNetworkPolicy is the Schema for the applicationnetworkpolicies API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ApplicationNetworkPolicySpec defines the desired state of ApplicationNetworkPolicy","type":"object","required":["podSelector"],"properties":{"egress":{"description":"Egress is a list of egress rules to be applied to the selected pods. Outgoing traffic\nis allowed if there are no ApplicationNetworkPolicies selecting the pod (and cluster policy\notherwise allows the traffic), OR if the traffic matches at least one egress rule\nacross all of the ApplicationNetworkPolicy objects whose podSelector matches the pod.","type":"array","items":{"description":"ApplicationNetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods\nmatched by an ApplicationNetworkPolicySpec's podSelector. The traffic must match both ports and to.","type":"object","properties":{"ports":{"description":"Ports is a list of destination ports for outgoing traffic.\nEach item in this list is combined using a logical OR. If this field is\nempty or missing, this rule matches all ports (traffic not restricted by port).\nIf this field is present and contains at least one item, then this rule allows\ntraffic only if the traffic matches at least one port in the list.","type":"array","items":{"description":"NetworkPolicyPort describes a port to allow traffic on","type":"object","properties":{"endPort":{"description":"endPort indicates that the range of ports from port to endPort if set, inclusive,\nshould be allowed by the policy. This field cannot be defined if the port field\nis not defined or if the port field is defined as a named (string) port.\nThe endPort must be equal or greater than port.","type":"integer","format":"int32"},"port":{"description":"port represents the port on the given protocol. This can either be a numerical or named\nport on a pod. If this field is not provided, this matches all port names and\nnumbers.\nIf present, only traffic on the specified protocol AND port will be matched.","x-kubernetes-int-or-string":true},"protocol":{"description":"protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.\nIf not specified, this field defaults to TCP.","type":"string"}}}},"to":{"description":"To is a list of destinations for outgoing traffic of pods selected for this rule.\nItems in this list are combined using a logical OR operation. If this field is\nempty or missing, this rule matches all destinations (traffic not restricted by\ndestination). If this field is present and contains at least one item, this rule\nallows traffic only if the traffic matches at least one item in the to list.","type":"array","items":{"description":"ApplicationNetworkPolicyPeer describes a peer to allow traffic to/from.\nOnly certain combinations of fields are allowed","type":"object","properties":{"domainNames":{"description":"DomainNames provides a way to specify domain names as peers.\n\nDomainNames is only supported for Allow rules. In order to control\naccess, DomainNames Allow rules should be used with a lower priority\negress deny -- this allows the admin to maintain an explicit \"allowlist\"\nof reachable domains.\n\nThis field is mutually exclusive with PodSelector, NamespaceSelector, and IPBlock.\nFQDN rules are ALLOW-only and do not support DENY semantics.","type":"array","minItems":1,"items":{"description":"DomainName describes one or more domain names to be used as a peer.\n\nDomainName can be an exact match, or use the wildcard specifier '*' to match\none or more labels.\n\n'*', the wildcard specifier, matches one or more entire labels. It does not\nsupport partial matches. '*' may only be specified as a prefix.\n\n\tExamples:\n\t  - `kubernetes.io` matches only `kubernetes.io`.\n\t    It does not match \"www.kubernetes.io\", \"blog.kubernetes.io\",\n\t    \"my-kubernetes.io\", or \"wikipedia.org\".\n\t  - `blog.kubernetes.io` matches only \"blog.kubernetes.io\".\n\t    It does not match \"www.kubernetes.io\" or \"kubernetes.io\".\n\t  - `*.kubernetes.io` matches subdomains of kubernetes.io.\n\t    \"www.kubernetes.io\", \"blog.kubernetes.io\", and\n\t    \"latest.blog.kubernetes.io\" match, however \"kubernetes.io\", and\n\t    \"wikipedia.org\" do not.","type":"string","pattern":"^(\\*\\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\\.?$"},"x-kubernetes-list-type":"set"},"ipBlock":{"description":"IPBlock defines policy on a particular IPBlock. If this field is set then\nneither of the other fields can be.","type":"object","required":["cidr"],"properties":{"cidr":{"description":"cidr is a string representing the IPBlock\nValid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"","type":"string"},"except":{"description":"except is a slice of CIDRs that should not be included within an IPBlock\nValid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"\nExcept values will be rejected if they are outside the cidr range","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"namespaceSelector":{"description":"NamespaceSelector selects namespaces using cluster-scoped labels. This field follows\nstandard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects\nthe pods matching podSelector in the namespaces selected by namespaceSelector.\nOtherwise it selects all pods in the namespaces selected by namespaceSelector.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"podSelector":{"description":"PodSelector is a label selector which selects pods. This field follows standard label\nselector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects\nthe pods matching podSelector in the Namespaces selected by NamespaceSelector.\nOtherwise it selects the pods matching podSelector in the policy's own namespace.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-validations":[{"message":"ipBlock and domainNames are mutually exclusive","rule":"!(has(self.ipBlock) && has(self.domainNames))"},{"message":"podSelector and domainNames are mutually exclusive","rule":"!(has(self.podSelector) && has(self.domainNames))"},{"message":"namespaceSelector and domainNames are mutually exclusive","rule":"!(has(self.namespaceSelector) && has(self.domainNames))"}]}}}}},"ingress":{"description":"Ingress is a list of ingress rules to be applied to the selected pods.\nTraffic is allowed to a pod if there are no ApplicationNetworkPolicies selecting the pod\n(and cluster policy otherwise allows the traffic), OR if the traffic source is\nthe pod's local node, OR if the traffic matches at least one ingress rule\nacross all of the ApplicationNetworkPolicy objects whose podSelector matches the pod.","type":"array","items":{"description":"NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods\nmatched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.","type":"object","properties":{"from":{"description":"from is a list of sources which should be able to access the pods selected for this rule.\nItems in this list are combined using a logical OR operation. If this field is\nempty or missing, this rule matches all sources (traffic not restricted by\nsource). If this field is present and contains at least one item, this rule\nallows traffic only if the traffic matches at least one item in the from list.","type":"array","items":{"description":"NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of\nfields are allowed","type":"object","properties":{"ipBlock":{"description":"ipBlock defines policy on a particular IPBlock. If this field is set then\nneither of the other fields can be.","type":"object","required":["cidr"],"properties":{"cidr":{"description":"cidr is a string representing the IPBlock\nValid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"","type":"string"},"except":{"description":"except is a slice of CIDRs that should not be included within an IPBlock\nValid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"\nExcept values will be rejected if they are outside the cidr range","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"namespaceSelector":{"description":"namespaceSelector selects namespaces using cluster-scoped labels. This field follows\nstandard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects\nthe pods matching podSelector in the namespaces selected by namespaceSelector.\nOtherwise it selects all pods in the namespaces selected by namespaceSelector.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"podSelector":{"description":"podSelector is a label selector which selects pods. This field follows standard label\nselector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects\nthe pods matching podSelector in the Namespaces selected by NamespaceSelector.\nOtherwise it selects the pods matching podSelector in the policy's own namespace.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"ports":{"description":"ports is a list of ports which should be made accessible on the pods selected for\nthis rule. Each item in this list is combined using a logical OR. If this field is\nempty or missing, this rule matches all ports (traffic not restricted by port).\nIf this field is present and contains at least one item, then this rule allows\ntraffic only if the traffic matches at least one port in the list.","type":"array","items":{"description":"NetworkPolicyPort describes a port to allow traffic on","type":"object","properties":{"endPort":{"description":"endPort indicates that the range of ports from port to endPort if set, inclusive,\nshould be allowed by the policy. This field cannot be defined if the port field\nis not defined or if the port field is defined as a named (string) port.\nThe endPort must be equal or greater than port.","type":"integer","format":"int32"},"port":{"description":"port represents the port on the given protocol. This can either be a numerical or named\nport on a pod. If this field is not provided, this matches all port names and\nnumbers.\nIf present, only traffic on the specified protocol AND port will be matched.","x-kubernetes-int-or-string":true},"protocol":{"description":"protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.\nIf not specified, this field defaults to TCP.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}}},"podSelector":{"description":"PodSelector selects the pods to which this ApplicationNetworkPolicy object applies.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"policyTypes":{"description":"PolicyTypes is a list of rule types that the ApplicationNetworkPolicy relates to.\nValid options are [\"Ingress\"], [\"Egress\"], or [\"Ingress\", \"Egress\"].\nIf this field is not specified, it will default based on the existence of ingress or egress rules.","type":"array","items":{"description":"PolicyType string describes the NetworkPolicy type\nThis type is beta-level in 1.8","type":"string"}}}},"status":{"description":"ApplicationNetworkPolicyStatus defines the observed state of ApplicationNetworkPolicy","type":"object","properties":{"conditions":{"description":"Conditions represent the latest available observations of the ApplicationNetworkPolicy's current state.","type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.aws","kind":"ApplicationNetworkPolicy","version":"v1alpha1"}],"title":"aws.k8s.networking.v1alpha1.ApplicationNetworkPolicy"},"aws.k8s.networking.v1alpha1.ApplicationNetworkPolicyList":{"description":"ApplicationNetworkPolicyList is a list of ApplicationNetworkPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of applicationnetworkpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.networking.v1alpha1.ApplicationNetworkPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.aws","kind":"ApplicationNetworkPolicyList","version":"v1alpha1"}],"title":"aws.k8s.networking.v1alpha1.ApplicationNetworkPolicyList"},"aws.k8s.networking.v1alpha1.ClusterNetworkPolicy":{"description":"ClusterNetworkPolicy is the Schema for the clusternetworkpolicies API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ClusterNetworkPolicySpec defines the desired state of ClusterNetworkPolicy","type":"object","required":["priority","subject","tier"],"properties":{"egress":{"description":"Egress rules","type":"array","maxItems":100,"items":{"type":"object","required":["action","to"],"properties":{"action":{"description":"Action specifies the effect this rule will have on matching traffic.","type":"string","enum":["Accept","Deny","Pass"]},"name":{"description":"Name is an identifier for this rule, that may be no more than\n100 characters in length. This field should be used by the implementation\nto help improve observability, readability and error-reporting\nfor any applied AdminNetworkPolicies.","type":"string","maxLength":100},"ports":{"description":"Ports allows for matching traffic based on port and protocols.\nThis field is a list of destination ports for the outgoing egress traffic.\nIf Ports is not set then the rule does not filter traffic via port.","type":"array","maxItems":100,"minItems":1,"items":{"type":"object","properties":{"namedPort":{"type":"string"},"portNumber":{"type":"object","required":["port","protocol"],"properties":{"port":{"description":"Port defines a network port value.","type":"integer","format":"int32","maximum":65535,"minimum":1},"protocol":{"description":"Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must\nmatch. If not specified, this field defaults to TCP.","type":"string"}}},"portRange":{"description":"CNPPortRange defines an inclusive range of ports from the assigned\nStart value to End value.","type":"object","required":["end","start"],"properties":{"end":{"description":"End defines a network port that is the end of a port range, the End value\nmust be greater than Start.","type":"integer","format":"int32","maximum":65535,"minimum":1},"protocol":{"description":"Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must\nmatch. If not specified, this field defaults to TCP.","type":"string"},"start":{"description":"Start defines a network port that is the start of a port range, the Start\nvalue must be less than End.","type":"integer","format":"int32","maximum":65535,"minimum":1}},"x-kubernetes-validations":[{"message":"Start port must be less than End port","rule":"self.start < self.end"}]}}}},"to":{"description":"To is the List of destinations whose traffic this rule applies to.\nIf any element matches the destination of outgoing\ntraffic then the specified action is applied.\nThis field must be defined and contain at least one item.","type":"array","maxItems":100,"minItems":1,"items":{"description":"ClusterNetworkPolicyEgressPeer defines a peer to allow traffic to.\n\nExactly one of the fields must be set for a given peer and this is enforced\nby the validation rules on the CRD. If an implementation sees no fields are\nset then it can infer that the deployed CRD is of an incompatible version\nwith an unknown field. In that case it should fail closed.","type":"object","maxProperties":1,"minProperties":1,"properties":{"domainNames":{"description":"DomainNames provides a way to specify domain names as peers.\nDomainNames support Accept and Pass actions (our extension from upstream)\nUpstream CNP only supports Accept for domainNames, we add Pass support","type":"array","maxItems":25,"minItems":1,"items":{"description":"DomainName describes one or more domain names to be used as a peer.\n\nDomainName can be an exact match, or use the wildcard specifier '*' to match\none or more labels.\n\n'*', the wildcard specifier, matches one or more entire labels. It does not\nsupport partial matches. '*' may only be specified as a prefix.\n\n\tExamples:\n\t  - `kubernetes.io` matches only `kubernetes.io`.\n\t    It does not match \"www.kubernetes.io\", \"blog.kubernetes.io\",\n\t    \"my-kubernetes.io\", or \"wikipedia.org\".\n\t  - `blog.kubernetes.io` matches only \"blog.kubernetes.io\".\n\t    It does not match \"www.kubernetes.io\" or \"kubernetes.io\".\n\t  - `*.kubernetes.io` matches subdomains of kubernetes.io.\n\t    \"www.kubernetes.io\", \"blog.kubernetes.io\", and\n\t    \"latest.blog.kubernetes.io\" match, however \"kubernetes.io\", and\n\t    \"wikipedia.org\" do not.","type":"string","pattern":"^(\\*\\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\\.?$"},"x-kubernetes-list-type":"set"},"namespaces":{"description":"Namespaces defines a way to select all pods within a set of Namespaces.\nNote that host-networked pods are not included in this type of peer.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"networks":{"description":"Networks defines a way to select peers via CIDR blocks.","type":"array","maxItems":25,"minItems":1,"items":{"description":"CIDR is an IP address range in CIDR notation\n(for example, \"10.0.0.0/8\" or \"fd00::/8\").","type":"string","maxLength":43},"x-kubernetes-list-type":"set"},"pods":{"description":"Pods defines a way to select a set of pods in\na set of namespaces. Note that host-networked pods\nare not included in this type of peer.","type":"object","required":["namespaceSelector","podSelector"],"properties":{"namespaceSelector":{"description":"NamespaceSelector follows standard label selector semantics; if empty,\nit selects all Namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"podSelector":{"description":"PodSelector is used to explicitly select pods within a namespace;\nif empty, it selects all Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}}}}}},"x-kubernetes-validations":[{"message":"domainNames peer can only be used with Accept action","rule":"!(self.action != 'Accept' && self.to.exists(peer, has(peer.domainNames)))"}]}},"ingress":{"description":"Ingress rules","type":"array","maxItems":100,"items":{"type":"object","required":["action","from"],"properties":{"action":{"description":"Action specifies the effect this rule will have on matching traffic.","type":"string","enum":["Accept","Deny","Pass"]},"from":{"description":"From is the list of sources whose traffic this rule applies to.\nIf any element matches the source of incoming\ntraffic then the specified action is applied.\nThis field must be defined and contain at least one item.","type":"array","maxItems":100,"minItems":1,"items":{"description":"ClusterNetworkPolicyIngressPeer defines a peer to allow traffic from.\n\nExactly one of the fields must be set for a given peer and this is enforced\nby the validation rules on the CRD. If an implementation sees no fields are\nset then it can infer that the deployed CRD is of an incompatible version\nwith an unknown field. In that case it should fail closed.","type":"object","maxProperties":1,"minProperties":1,"properties":{"namespaces":{"description":"Namespaces defines a way to select all pods within a set of Namespaces.\nNote that host-networked pods are not included in this type of peer.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"pods":{"description":"Pods defines a way to select a set of pods in\na set of namespaces. Note that host-networked pods\nare not included in this type of peer.","type":"object","required":["namespaceSelector","podSelector"],"properties":{"namespaceSelector":{"description":"NamespaceSelector follows standard label selector semantics; if empty,\nit selects all Namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"podSelector":{"description":"PodSelector is used to explicitly select pods within a namespace;\nif empty, it selects all Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}}}}},"name":{"description":"Name is an identifier for this rule, that may be no more than\n100 characters in length. This field should be used by the implementation\nto help improve observability, readability and error-reporting\nfor any applied AdminNetworkPolicies.","type":"string","maxLength":100},"ports":{"description":"Ports allows for matching traffic based on port and protocols.\nThis field is a list of ports which should be matched on\nthe pods selected for this policy i.e the subject of the policy.\nSo it matches on the destination port for the ingress traffic.\nIf Ports is not set then the rule does not filter traffic via port.","type":"array","maxItems":100,"minItems":1,"items":{"type":"object","properties":{"namedPort":{"type":"string"},"portNumber":{"type":"object","required":["port","protocol"],"properties":{"port":{"description":"Port defines a network port value.","type":"integer","format":"int32","maximum":65535,"minimum":1},"protocol":{"description":"Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must\nmatch. If not specified, this field defaults to TCP.","type":"string"}}},"portRange":{"description":"CNPPortRange defines an inclusive range of ports from the assigned\nStart value to End value.","type":"object","required":["end","start"],"properties":{"end":{"description":"End defines a network port that is the end of a port range, the End value\nmust be greater than Start.","type":"integer","format":"int32","maximum":65535,"minimum":1},"protocol":{"description":"Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must\nmatch. If not specified, this field defaults to TCP.","type":"string"},"start":{"description":"Start defines a network port that is the start of a port range, the Start\nvalue must be less than End.","type":"integer","format":"int32","maximum":65535,"minimum":1}},"x-kubernetes-validations":[{"message":"Start port must be less than End port","rule":"self.start < self.end"}]}}}}}}},"priority":{"description":"Priority within the tier (0-1000, lower = higher precedence)","type":"integer","format":"int32","maximum":1000,"minimum":0},"subject":{"description":"Subject defines which pods this policy applies to","type":"object","maxProperties":1,"minProperties":1,"properties":{"namespaces":{"description":"Namespaces is used to select pods via namespace selectors.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"pods":{"description":"Pods is used to select pods via namespace AND pod selectors.","type":"object","required":["namespaceSelector","podSelector"],"properties":{"namespaceSelector":{"description":"NamespaceSelector follows standard label selector semantics; if empty,\nit selects all Namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"podSelector":{"description":"PodSelector is used to explicitly select pods within a namespace;\nif empty, it selects all Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}}}},"tier":{"description":"Tier specifies the policy tier (Admin, Baseline)","type":"string"}}},"status":{"description":"ClusterNetworkPolicyStatus defines the observed state of ClusterNetworkPolicy","type":"object","properties":{"conditions":{"description":"Conditions represent the latest available observations of the ClusterNetworkPolicy's current state.","type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.aws","kind":"ClusterNetworkPolicy","version":"v1alpha1"}],"title":"aws.k8s.networking.v1alpha1.ClusterNetworkPolicy"},"aws.k8s.networking.v1alpha1.ClusterNetworkPolicyList":{"description":"ClusterNetworkPolicyList is a list of ClusterNetworkPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusternetworkpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.networking.v1alpha1.ClusterNetworkPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.aws","kind":"ClusterNetworkPolicyList","version":"v1alpha1"}],"title":"aws.k8s.networking.v1alpha1.ClusterNetworkPolicyList"},"aws.k8s.networking.v1alpha1.ClusterPolicyEndpoint":{"description":"ClusterPolicyEndpoint is the Schema for the clusterpolicyendpoints API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ClusterPolicyEndpointSpec defines the desired state of ClusterPolicyEndpoint","type":"object","required":["policyRef","priority","subject","tier"],"properties":{"egress":{"description":"Egress is the list of egress rules containing resolved network addresses","type":"array","items":{"description":"ClusterEndpointInfo defines the network endpoint information for the cluster policy ingress/egress","type":"object","required":["action"],"properties":{"action":{"description":"Action from the CNP rule","type":"string","enum":["Accept","Deny","Pass"]},"cidr":{"description":"CIDR is the network address(s) of the endpoint","type":"string"},"domainName":{"description":"DomainName is the FQDN for the endpoint (egress-only)","type":"string","pattern":"^(\\*\\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\\.?$"},"ports":{"description":"Ports is the list of ports","type":"array","items":{"description":"Port contains information about the transport port/protocol","type":"object","properties":{"endPort":{"description":"Endport specifies the port range port to endPort\nport must be defined and an integer, endPort > port","type":"integer","format":"int32"},"port":{"description":"Port specifies the numerical port for the protocol. If empty applies to all ports","type":"integer","format":"int32"},"protocol":{"description":"Protocol specifies the transport protocol, default TCP","type":"string"}}}}}}},"ingress":{"description":"Ingress is the list of ingress rules containing resolved network addresses","type":"array","items":{"description":"ClusterEndpointInfo defines the network endpoint information for the cluster policy ingress/egress","type":"object","required":["action"],"properties":{"action":{"description":"Action from the CNP rule","type":"string","enum":["Accept","Deny","Pass"]},"cidr":{"description":"CIDR is the network address(s) of the endpoint","type":"string"},"domainName":{"description":"DomainName is the FQDN for the endpoint (egress-only)","type":"string","pattern":"^(\\*\\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\\.?$"},"ports":{"description":"Ports is the list of ports","type":"array","items":{"description":"Port contains information about the transport port/protocol","type":"object","properties":{"endPort":{"description":"Endport specifies the port range port to endPort\nport must be defined and an integer, endPort > port","type":"integer","format":"int32"},"port":{"description":"Port specifies the numerical port for the protocol. If empty applies to all ports","type":"integer","format":"int32"},"protocol":{"description":"Protocol specifies the transport protocol, default TCP","type":"string"}}}}}}},"podSelectorEndpoints":{"description":"PodSelectorEndpoints contains information about the pods\nmatching the policy across all namespaces","type":"array","items":{"description":"PodEndpoint defines the summary information for the pods","type":"object","required":["hostIP","name","namespace","podIP"],"properties":{"hostIP":{"description":"HostIP is the IP address of the host the pod is currently running on","type":"string"},"name":{"description":"Name is the pod name","type":"string"},"namespace":{"description":"Namespace is the pod namespace","type":"string"},"podIP":{"description":"PodIP is the IP address of the pod","type":"string"}}}},"policyRef":{"description":"PolicyRef is a reference to the Kubernetes ClusterNetworkPolicy resource.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the name of the ClusterNetworkPolicy","type":"string"}}},"priority":{"description":"Priority from the CNP","type":"integer","format":"int32"},"subject":{"description":"Subject from the CNP","type":"object","maxProperties":1,"minProperties":1,"properties":{"namespaces":{"description":"Namespaces is used to select pods via namespace selectors.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"pods":{"description":"Pods is used to select pods via namespace AND pod selectors.","type":"object","required":["namespaceSelector","podSelector"],"properties":{"namespaceSelector":{"description":"NamespaceSelector follows standard label selector semantics; if empty,\nit selects all Namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"podSelector":{"description":"PodSelector is used to explicitly select pods within a namespace;\nif empty, it selects all Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}}}},"tier":{"description":"Tier from the CNP","type":"string","enum":["Admin","Baseline"]}}},"status":{"description":"ClusterPolicyEndpointStatus defines the observed state of ClusterPolicyEndpoint","type":"object"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.aws","kind":"ClusterPolicyEndpoint","version":"v1alpha1"}],"title":"aws.k8s.networking.v1alpha1.ClusterPolicyEndpoint"},"aws.k8s.networking.v1alpha1.ClusterPolicyEndpointList":{"description":"ClusterPolicyEndpointList is a list of ClusterPolicyEndpoint","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusterpolicyendpoints. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.networking.v1alpha1.ClusterPolicyEndpoint"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.aws","kind":"ClusterPolicyEndpointList","version":"v1alpha1"}],"title":"aws.k8s.networking.v1alpha1.ClusterPolicyEndpointList"},"aws.k8s.networking.v1alpha1.PolicyEndpoint":{"description":"PolicyEndpoint is the Schema for the policyendpoints API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"PolicyEndpointSpec defines the desired state of PolicyEndpoint","type":"object","required":["policyRef"],"properties":{"egress":{"description":"Egress is the list of egress rules containing resolved network addresses","type":"array","items":{"description":"EndpointInfo defines the network endpoint information for the policy ingress/egress","type":"object","properties":{"cidr":{"description":"CIDR is the network address(s) of the endpoint","type":"string"},"domainName":{"description":"DomainName is the FQDN for the endpoint (mutually exclusive with CIDR, egress-only)\nNote: This field should only be used in egress rules, not ingress","type":"string","pattern":"^(\\*\\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\\.?$"},"except":{"description":"Except is the exceptions to the CIDR ranges mentioned above.","type":"array","items":{"type":"string"}},"ports":{"description":"Ports is the list of ports","type":"array","items":{"description":"Port contains information about the transport port/protocol","type":"object","properties":{"endPort":{"description":"Endport specifies the port range port to endPort\nport must be defined and an integer, endPort > port","type":"integer","format":"int32"},"port":{"description":"Port specifies the numerical port for the protocol. If empty applies to all ports","type":"integer","format":"int32"},"protocol":{"description":"Protocol specifies the transport protocol, default TCP","type":"string"}}}}}}},"ingress":{"description":"Ingress is the list of ingress rules containing resolved network addresses","type":"array","items":{"description":"EndpointInfo defines the network endpoint information for the policy ingress/egress","type":"object","properties":{"cidr":{"description":"CIDR is the network address(s) of the endpoint","type":"string"},"domainName":{"description":"DomainName is the FQDN for the endpoint (mutually exclusive with CIDR, egress-only)\nNote: This field should only be used in egress rules, not ingress","type":"string","pattern":"^(\\*\\.)?([a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\\.)+[a-zA-z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])?\\.?$"},"except":{"description":"Except is the exceptions to the CIDR ranges mentioned above.","type":"array","items":{"type":"string"}},"ports":{"description":"Ports is the list of ports","type":"array","items":{"description":"Port contains information about the transport port/protocol","type":"object","properties":{"endPort":{"description":"Endport specifies the port range port to endPort\nport must be defined and an integer, endPort > port","type":"integer","format":"int32"},"port":{"description":"Port specifies the numerical port for the protocol. If empty applies to all ports","type":"integer","format":"int32"},"protocol":{"description":"Protocol specifies the transport protocol, default TCP","type":"string"}}}}}}},"podIsolation":{"description":"PodIsolation specifies whether the pod needs to be isolated for a\nparticular traffic direction Ingress or Egress, or both. If default isolation is not\nspecified, and there are no ingress/egress rules, then the pod is not isolated\nfrom the point of view of this policy. This follows the NetworkPolicy spec.PolicyTypes.","type":"array","items":{"description":"PolicyType string describes the NetworkPolicy type\nThis type is beta-level in 1.8","type":"string"}},"podSelector":{"description":"PodSelector is the podSelector from the policy resource","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"podSelectorEndpoints":{"description":"PodSelectorEndpoints contains information about the pods\nmatching the podSelector","type":"array","items":{"description":"PodEndpoint defines the summary information for the pods","type":"object","required":["hostIP","name","namespace","podIP"],"properties":{"hostIP":{"description":"HostIP is the IP address of the host the pod is currently running on","type":"string"},"name":{"description":"Name is the pod name","type":"string"},"namespace":{"description":"Namespace is the pod namespace","type":"string"},"podIP":{"description":"PodIP is the IP address of the pod","type":"string"}}}},"policyRef":{"description":"PolicyRef is a reference to the Kubernetes NetworkPolicy resource.","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name is the name of the Policy","type":"string"},"namespace":{"description":"Namespace is the namespace of the Policy","type":"string"}}}}},"status":{"description":"PolicyEndpointStatus defines the observed state of PolicyEndpoint","type":"object"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.aws","kind":"PolicyEndpoint","version":"v1alpha1"}],"title":"aws.k8s.networking.v1alpha1.PolicyEndpoint"},"aws.k8s.networking.v1alpha1.PolicyEndpointList":{"description":"PolicyEndpointList is a list of PolicyEndpoint","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of policyendpoints. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.networking.v1alpha1.PolicyEndpoint"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.aws","kind":"PolicyEndpointList","version":"v1alpha1"}],"title":"aws.k8s.networking.v1alpha1.PolicyEndpointList"},"aws.k8s.services.documentdb.v1alpha1.DBCluster":{"description":"DBCluster is the Schema for the DBClusters API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DBClusterSpec defines the desired state of DBCluster.\n\nDetailed information about a cluster.","type":"object","required":["dbClusterIdentifier","engine"],"properties":{"availabilityZones":{"description":"A list of Amazon EC2 Availability Zones that instances in the cluster can\nbe created in.","type":"array","items":{"type":"string"}},"backupRetentionPeriod":{"description":"The number of days for which automated backups are retained. You must specify\na minimum value of 1.\n\nDefault: 1\n\nConstraints:\n\n  - Must be a value from 1 to 35.","type":"integer","format":"int64"},"dbClusterIdentifier":{"description":"The cluster identifier. This parameter is stored as a lowercase string.\n\nConstraints:\n\n  - Must contain from 1 to 63 letters, numbers, or hyphens.\n\n  - The first character must be a letter.\n\n  - Cannot end with a hyphen or contain two consecutive hyphens.\n\nExample: my-cluster","type":"string"},"dbClusterParameterGroupName":{"description":"The name of the cluster parameter group to associate with this cluster.","type":"string"},"dbSubnetGroupName":{"description":"A subnet group to associate with this cluster.\n\nConstraints: Must match the name of an existing DBSubnetGroup. Must not be\ndefault.\n\nExample: mySubnetgroup","type":"string"},"dbSubnetGroupRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"deletionProtection":{"description":"Specifies whether this cluster can be deleted. If DeletionProtection is enabled,\nthe cluster cannot be deleted unless it is modified and DeletionProtection\nis disabled. DeletionProtection protects clusters from being accidentally\ndeleted.","type":"boolean"},"destinationRegion":{"description":"DestinationRegion is used for presigning the request to a given region.","type":"string"},"enableCloudwatchLogsExports":{"description":"A list of log types that need to be enabled for exporting to Amazon CloudWatch\nLogs. You can enable audit logs or profiler logs. For more information, see\nAuditing Amazon DocumentDB Events (https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html)\nand Profiling Amazon DocumentDB Operations (https://docs.aws.amazon.com/documentdb/latest/developerguide/profiling.html).","type":"array","items":{"type":"string"}},"engine":{"description":"The name of the database engine to be used for this cluster.\n\nValid values: docdb","type":"string"},"engineVersion":{"description":"The version number of the database engine to use. The --engine-version will\ndefault to the latest major engine version. For production workloads, we\nrecommend explicitly declaring this parameter with the intended major engine\nversion.","type":"string"},"globalClusterIdentifier":{"description":"The cluster identifier of the new global cluster.\n\nRegex Pattern: `^[A-Za-z][0-9A-Za-z-:._]*$`","type":"string"},"kmsKeyID":{"description":"The KMS key identifier for an encrypted cluster.\n\nThe KMS key identifier is the Amazon Resource Name (ARN) for the KMS encryption\nkey. If you are creating a cluster using the same Amazon Web Services account\nthat owns the KMS encryption key that is used to encrypt the new cluster,\nyou can use the KMS key alias instead of the ARN for the KMS encryption key.\n\nIf an encryption key is not specified in KmsKeyId:\n\n  - If the StorageEncrypted parameter is true, Amazon DocumentDB uses your\n    default encryption key.\n\nKMS creates the default encryption key for your Amazon Web Services account.\nYour Amazon Web Services account has a different default encryption key for\neach Amazon Web Services Regions.","type":"string"},"kmsKeyRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"manageMasterUserPassword":{"description":"Specifies whether to manage the master user password with Amazon Web Services\nSecrets Manager.\n\nConstraint: You can't manage the master user password with Amazon Web Services\nSecrets Manager if MasterUserPassword is specified.","type":"boolean"},"masterUserPassword":{"description":"The password for the master database user. This password can contain any\nprintable ASCII character except forward slash (/), double quote (\"), or\nthe \"at\" symbol (@).\n\nConstraints: Must contain from 8 to 100 characters.","type":"object","required":["key"],"properties":{"key":{"description":"Key is the key within the secret","type":"string"},"name":{"description":"name is unique within a namespace to reference a secret resource.","type":"string"},"namespace":{"description":"namespace defines the space within which the secret name must be unique.","type":"string"}},"x-kubernetes-map-type":"atomic"},"masterUserSecretKMSKeyID":{"description":"The Amazon Web Services KMS key identifier to encrypt a secret that is automatically\ngenerated and managed in Amazon Web Services Secrets Manager. This setting\nis valid only if the master user password is managed by Amazon DocumentDB\nin Amazon Web Services Secrets Manager for the DB cluster.\n\nThe Amazon Web Services KMS key identifier is the key ARN, key ID, alias\nARN, or alias name for the KMS key. To use a KMS key in a different Amazon\nWeb Services account, specify the key ARN or alias ARN.\n\nIf you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager\nKMS key is used to encrypt the secret. If the secret is in a different Amazon\nWeb Services account, then you can't use the aws/secretsmanager KMS key to\nencrypt the secret, and you must use a customer managed KMS key.\n\nThere is a default KMS key for your Amazon Web Services account. Your Amazon\nWeb Services account has a different default KMS key for each Amazon Web\nServices Region.","type":"string"},"masterUserSecretKMSKeyRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"masterUsername":{"description":"The name of the master user for the cluster.\n\nConstraints:\n\n  - Must be from 1 to 63 letters or numbers.\n\n  - The first character must be a letter.\n\n  - Cannot be a reserved word for the chosen database engine.","type":"string"},"networkType":{"description":"The network type of the cluster.\n\nThe network type is determined by the DBSubnetGroup specified for the cluster.\nA DBSubnetGroup can support only the IPv4 protocol or the IPv4 and the IPv6\nprotocols (DUAL).\n\nFor more information, see DocumentDB clusters in a VPC (https://docs.aws.amazon.com/documentdb/latest/developerguide/vpc-clusters.html)\nin the Amazon DocumentDB Developer Guide.\n\nValid Values: IPV4 | DUAL","type":"string"},"port":{"description":"The port number on which the instances in the cluster accept connections.","type":"integer","format":"int64"},"preSignedURL":{"description":"Not currently supported.","type":"string"},"preferredBackupWindow":{"description":"The daily time range during which automated backups are created if automated\nbackups are enabled using the BackupRetentionPeriod parameter.\n\nThe default is a 30-minute window selected at random from an 8-hour block\nof time for each Amazon Web Services Region.\n\nConstraints:\n\n  - Must be in the format hh24:mi-hh24:mi.\n\n  - Must be in Universal Coordinated Time (UTC).\n\n  - Must not conflict with the preferred maintenance window.\n\n  - Must be at least 30 minutes.","type":"string"},"preferredMaintenanceWindow":{"description":"The weekly time range during which system maintenance can occur, in Universal\nCoordinated Time (UTC).\n\nFormat: ddd:hh24:mi-ddd:hh24:mi\n\nThe default is a 30-minute window selected at random from an 8-hour block\nof time for each Amazon Web Services Region, occurring on a random day of\nthe week.\n\nValid days: Mon, Tue, Wed, Thu, Fri, Sat, Sun\n\nConstraints: Minimum 30-minute window.","type":"string"},"serverlessV2ScalingConfiguration":{"description":"Contains the scaling configuration of an Amazon DocumentDB Serverless cluster.","type":"object","properties":{"maxCapacity":{"type":"number"},"minCapacity":{"type":"number"}}},"snapshotIdentifier":{"description":"The identifier for the snapshot or cluster snapshot to restore from.\n\nYou can use either the name or the Amazon Resource Name (ARN) to specify\na cluster snapshot. However, you can use only the ARN to specify a snapshot.\n\nConstraints:\n\n  - Must match the identifier of an existing snapshot.","type":"string"},"sourceRegion":{"description":"SourceRegion is the source region where the resource exists. This is not\nsent over the wire and is only used for presigning. This value should always\nhave the same region as the source ARN.","type":"string"},"storageEncrypted":{"description":"Specifies whether the cluster is encrypted.","type":"boolean"},"storageType":{"description":"The storage type to associate with the DB cluster.\n\nFor information on storage types for Amazon DocumentDB clusters, see Cluster\nstorage configurations in the Amazon DocumentDB Developer Guide.\n\n# Valid values for storage type - standard | iopt1\n\n# Default value is standard\n\nWhen you create an Amazon DocumentDB cluster with the storage type set to\niopt1, the storage type is returned in the response. The storage type isn't\nreturned when you set it to standard.","type":"string"},"tags":{"description":"The tags to be assigned to the cluster.","type":"array","items":{"description":"Metadata assigned to an Amazon DocumentDB resource consisting of a key-value\npair.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"vpcSecurityGroupIDs":{"description":"A list of EC2 VPC security groups to associate with this cluster.","type":"array","items":{"type":"string"}},"vpcSecurityGroupRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}}},"status":{"description":"DBClusterStatus defines the observed state of DBCluster","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"associatedRoles":{"description":"Provides a list of the Identity and Access Management (IAM) roles that are\nassociated with the cluster. (IAM) roles that are associated with a cluster\ngrant permission for the cluster to access other Amazon Web Services services\non your behalf.","type":"array","items":{"description":"Describes an Identity and Access Management (IAM) role that is associated\nwith a cluster.","type":"object","properties":{"roleARN":{"type":"string"},"status":{"type":"string"}}}},"cloneGroupID":{"description":"Identifies the clone group to which the DB cluster is associated.","type":"string"},"clusterCreateTime":{"description":"Specifies the time when the cluster was created, in Universal Coordinated\nTime (UTC).","type":"string","format":"date-time"},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"dbClusterMembers":{"description":"Provides the list of instances that make up the cluster.","type":"array","items":{"description":"Contains information about an instance that is part of a cluster.","type":"object","properties":{"dbClusterParameterGroupStatus":{"type":"string"},"dbInstanceIdentifier":{"type":"string"},"isClusterWriter":{"type":"boolean"},"promotionTier":{"type":"integer","format":"int64"}}}},"dbClusterParameterGroup":{"description":"Specifies the name of the cluster parameter group for the cluster.","type":"string"},"dbClusterResourceID":{"description":"The Amazon Web Services Region-unique, immutable identifier for the cluster.\nThis identifier is found in CloudTrail log entries whenever the KMS key for\nthe cluster is accessed.","type":"string"},"dbSubnetGroup":{"description":"Specifies information on the subnet group that is associated with the cluster,\nincluding the name, description, and subnets in the subnet group.","type":"string"},"earliestRestorableTime":{"description":"The earliest time to which a database can be restored with point-in-time\nrestore.","type":"string","format":"date-time"},"enabledCloudwatchLogsExports":{"description":"A list of log types that this cluster is configured to export to Amazon CloudWatch\nLogs.","type":"array","items":{"type":"string"}},"endpoint":{"description":"Specifies the connection endpoint for the primary instance of the cluster.","type":"string"},"hostedZoneID":{"description":"Specifies the ID that Amazon Route 53 assigns when you create a hosted zone.","type":"string"},"iOOptimizedNextAllowedModificationTime":{"description":"The next time you can modify the Amazon DocumentDB cluster to use the iopt1\nstorage type.","type":"string","format":"date-time"},"latestRestorableTime":{"description":"Specifies the latest time to which a database can be restored with point-in-time\nrestore.","type":"string","format":"date-time"},"masterUserSecret":{"description":"The secret managed by Amazon DocumentDB in Amazon Web Services Secrets Manager\nfor the master user password.","type":"object","properties":{"kmsKeyID":{"type":"string"},"secretARN":{"type":"string"},"secretStatus":{"type":"string"}}},"multiAZ":{"description":"Specifies whether the cluster has instances in multiple Availability Zones.","type":"boolean"},"percentProgress":{"description":"Specifies the progress of the operation as a percentage.","type":"string"},"readReplicaIdentifiers":{"description":"Contains one or more identifiers of the secondary clusters that are associated\nwith this cluster.","type":"array","items":{"type":"string"}},"readerEndpoint":{"description":"The reader endpoint for the cluster. The reader endpoint for a cluster load\nbalances connections across the Amazon DocumentDB replicas that are available\nin a cluster. As clients request new connections to the reader endpoint,\nAmazon DocumentDB distributes the connection requests among the Amazon DocumentDB\nreplicas in the cluster. This functionality can help balance your read workload\nacross multiple Amazon DocumentDB replicas in your cluster.\n\nIf a failover occurs, and the Amazon DocumentDB replica that you are connected\nto is promoted to be the primary instance, your connection is dropped. To\ncontinue sending your read workload to other Amazon DocumentDB replicas in\nthe cluster, you can then reconnect to the reader endpoint.","type":"string"},"replicationSourceIdentifier":{"description":"Contains the identifier of the source cluster if this cluster is a secondary\ncluster.","type":"string"},"status":{"description":"Specifies the current state of this cluster.","type":"string"},"vpcSecurityGroups":{"description":"Provides a list of virtual private cloud (VPC) security groups that the cluster\nbelongs to.","type":"array","items":{"description":"Used as a response element for queries on virtual private cloud (VPC) security\ngroup membership.","type":"object","properties":{"status":{"type":"string"},"vpcSecurityGroupID":{"type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"documentdb.services.k8s.aws","kind":"DBCluster","version":"v1alpha1"}],"title":"aws.k8s.services.documentdb.v1alpha1.DBCluster"},"aws.k8s.services.documentdb.v1alpha1.DBClusterList":{"description":"DBClusterList is a list of DBCluster","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbclusters. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.documentdb.v1alpha1.DBCluster"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"documentdb.services.k8s.aws","kind":"DBClusterList","version":"v1alpha1"}],"title":"aws.k8s.services.documentdb.v1alpha1.DBClusterList"},"aws.k8s.services.documentdb.v1alpha1.DBInstance":{"description":"DBInstance is the Schema for the DBInstances API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DBInstanceSpec defines the desired state of DBInstance.\n\nDetailed information about an instance.","type":"object","required":["dbClusterIdentifier","dbInstanceClass","dbInstanceIdentifier","engine"],"properties":{"autoMinorVersionUpgrade":{"description":"This parameter does not apply to Amazon DocumentDB. Amazon DocumentDB does\nnot perform minor version upgrades regardless of the value set.\n\nDefault: false","type":"boolean"},"availabilityZone":{"description":"The Amazon EC2 Availability Zone that the instance is created in.\n\nDefault: A random, system-chosen Availability Zone in the endpoint's Amazon\nWeb Services Region.\n\nExample: us-east-1d","type":"string","x-kubernetes-validations":[{"message":"Value is immutable once set","rule":"self == oldSelf"}]},"caCertificateIdentifier":{"description":"The CA certificate identifier to use for the DB instance's server certificate.\n\nFor more information, see Updating Your Amazon DocumentDB TLS Certificates\n(https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html)\nand Encrypting Data in Transit (https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.html)\nin the Amazon DocumentDB Developer Guide.","type":"string"},"copyTagsToSnapshot":{"description":"A value that indicates whether to copy tags from the DB instance to snapshots\nof the DB instance. By default, tags are not copied.","type":"boolean"},"dbClusterIdentifier":{"description":"The identifier of the cluster that the instance will belong to.","type":"string"},"dbInstanceClass":{"description":"The compute and memory capacity of the instance; for example, db.r5.large.","type":"string"},"dbInstanceIdentifier":{"description":"The instance identifier. This parameter is stored as a lowercase string.\n\nConstraints:\n\n  - Must contain from 1 to 63 letters, numbers, or hyphens.\n\n  - The first character must be a letter.\n\n  - Cannot end with a hyphen or contain two consecutive hyphens.\n\nExample: mydbinstance","type":"string"},"engine":{"description":"The name of the database engine to be used for this instance.\n\nValid value: docdb","type":"string"},"performanceInsightsEnabled":{"description":"A value that indicates whether to enable Performance Insights for the DB\nInstance. For more information, see Using Amazon Performance Insights (https://docs.aws.amazon.com/documentdb/latest/developerguide/performance-insights.html).","type":"boolean"},"performanceInsightsKMSKeyID":{"description":"The KMS key identifier for encryption of Performance Insights data.\n\nThe KMS key identifier is the key ARN, key ID, alias ARN, or alias name for\nthe KMS key.\n\nIf you do not specify a value for PerformanceInsightsKMSKeyId, then Amazon\nDocumentDB uses your default KMS key. There is a default KMS key for your\nAmazon Web Services account. Your Amazon Web Services account has a different\ndefault KMS key for each Amazon Web Services region.","type":"string"},"performanceInsightsKMSKeyRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"preferredMaintenanceWindow":{"description":"The time range each week during which system maintenance can occur, in Universal\nCoordinated Time (UTC).\n\nFormat: ddd:hh24:mi-ddd:hh24:mi\n\nThe default is a 30-minute window selected at random from an 8-hour block\nof time for each Amazon Web Services Region, occurring on a random day of\nthe week.\n\nValid days: Mon, Tue, Wed, Thu, Fri, Sat, Sun\n\nConstraints: Minimum 30-minute window.","type":"string"},"promotionTier":{"description":"A value that specifies the order in which an Amazon DocumentDB replica is\npromoted to the primary instance after a failure of the existing primary\ninstance.\n\nDefault: 1\n\nValid values: 0-15","type":"integer","format":"int64"},"tags":{"description":"The tags to be assigned to the instance. You can assign up to 10 tags to\nan instance.","type":"array","items":{"description":"Metadata assigned to an Amazon DocumentDB resource consisting of a key-value\npair.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"DBInstanceStatus defines the observed state of DBInstance","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"backupRetentionPeriod":{"description":"Specifies the number of days for which automatic snapshots are retained.","type":"integer","format":"int64"},"certificateDetails":{"description":"The details of the DB instance's server certificate.","type":"object","properties":{"cAIdentifier":{"type":"string"},"validTill":{"type":"string","format":"date-time"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"dbInstanceStatus":{"description":"Specifies the current state of this database.","type":"string"},"dbSubnetGroup":{"description":"Specifies information on the subnet group that is associated with the instance,\nincluding the name, description, and subnets in the subnet group.","type":"object","properties":{"dbSubnetGroupARN":{"type":"string"},"dbSubnetGroupDescription":{"type":"string"},"dbSubnetGroupName":{"type":"string"},"subnetGroupStatus":{"type":"string"},"subnets":{"type":"array","items":{"description":"Detailed information about a subnet.","type":"object","properties":{"subnetAvailabilityZone":{"description":"Information about an Availability Zone.","type":"object","properties":{"name":{"type":"string"}}},"subnetIdentifier":{"type":"string"},"subnetStatus":{"type":"string"}}}},"supportedNetworkTypes":{"type":"array","items":{"type":"string"}},"vpcID":{"type":"string"}}},"dbiResourceID":{"description":"The Amazon Web Services Region-unique, immutable identifier for the instance.\nThis identifier is found in CloudTrail log entries whenever the KMS key for\nthe instance is accessed.","type":"string"},"enabledCloudwatchLogsExports":{"description":"A list of log types that this instance is configured to export to CloudWatch\nLogs.","type":"array","items":{"type":"string"}},"endpoint":{"description":"Specifies the connection endpoint.","type":"object","properties":{"address":{"type":"string"},"hostedZoneID":{"type":"string"},"port":{"type":"integer","format":"int64"}}},"engineVersion":{"description":"Indicates the database engine version.","type":"string"},"instanceCreateTime":{"description":"Provides the date and time that the instance was created.","type":"string","format":"date-time"},"kmsKeyID":{"description":"If StorageEncrypted is true, the KMS key identifier for the encrypted instance.","type":"string"},"latestRestorableTime":{"description":"Specifies the latest time to which a database can be restored with point-in-time\nrestore.","type":"string","format":"date-time"},"pendingModifiedValues":{"description":"Specifies that changes to the instance are pending. This element is included\nonly when changes are pending. Specific changes are identified by subelements.","type":"object","properties":{"allocatedStorage":{"type":"integer","format":"int64"},"backupRetentionPeriod":{"type":"integer","format":"int64"},"caCertificateIdentifier":{"type":"string"},"dbInstanceClass":{"type":"string"},"dbInstanceIdentifier":{"type":"string"},"dbSubnetGroupName":{"type":"string"},"engineVersion":{"type":"string"},"iops":{"type":"integer","format":"int64"},"licenseModel":{"type":"string"},"masterUserPassword":{"type":"string"},"multiAZ":{"type":"boolean"},"pendingCloudwatchLogsExports":{"description":"A list of the log types whose configuration is still pending. These log types\nare in the process of being activated or deactivated.","type":"object","properties":{"logTypesToDisable":{"type":"array","items":{"type":"string"}},"logTypesToEnable":{"type":"array","items":{"type":"string"}}}},"port":{"type":"integer","format":"int64"},"storageType":{"type":"string"}}},"preferredBackupWindow":{"description":"Specifies the daily time range during which automated backups are created\nif automated backups are enabled, as determined by the BackupRetentionPeriod.","type":"string"},"publiclyAccessible":{"description":"Not supported. Amazon DocumentDB does not currently support public endpoints.\nThe value of PubliclyAccessible is always false.","type":"boolean"},"statusInfos":{"description":"The status of a read replica. If the instance is not a read replica, this\nis blank.","type":"array","items":{"description":"Provides a list of status information for an instance.","type":"object","properties":{"message":{"type":"string"},"normal":{"type":"boolean"},"status":{"type":"string"},"statusType":{"type":"string"}}}},"storageEncrypted":{"description":"Specifies whether or not the instance is encrypted.","type":"boolean"},"vpcSecurityGroups":{"description":"Provides a list of VPC security group elements that the instance belongs\nto.","type":"array","items":{"description":"Used as a response element for queries on virtual private cloud (VPC) security\ngroup membership.","type":"object","properties":{"status":{"type":"string"},"vpcSecurityGroupID":{"type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"documentdb.services.k8s.aws","kind":"DBInstance","version":"v1alpha1"}],"title":"aws.k8s.services.documentdb.v1alpha1.DBInstance"},"aws.k8s.services.documentdb.v1alpha1.DBInstanceList":{"description":"DBInstanceList is a list of DBInstance","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbinstances. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.documentdb.v1alpha1.DBInstance"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"documentdb.services.k8s.aws","kind":"DBInstanceList","version":"v1alpha1"}],"title":"aws.k8s.services.documentdb.v1alpha1.DBInstanceList"},"aws.k8s.services.documentdb.v1alpha1.DBSubnetGroup":{"description":"DBSubnetGroup is the Schema for the DBSubnetGroups API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DBSubnetGroupSpec defines the desired state of DBSubnetGroup.\n\nDetailed information about a subnet group.","type":"object","required":["description","name"],"properties":{"description":{"description":"The description for the subnet group.","type":"string"},"name":{"description":"The name for the subnet group. This value is stored as a lowercase string.\n\nConstraints: Must contain no more than 255 letters, numbers, periods, underscores,\nspaces, or hyphens. Must not be default.\n\nExample: mySubnetgroup","type":"string"},"subnetIDs":{"description":"The Amazon EC2 subnet IDs for the subnet group.","type":"array","items":{"type":"string"}},"subnetRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}},"tags":{"description":"The tags to be assigned to the subnet group.","type":"array","items":{"description":"Metadata assigned to an Amazon DocumentDB resource consisting of a key-value\npair.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"DBSubnetGroupStatus defines the observed state of DBSubnetGroup","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"subnetGroupStatus":{"description":"Provides the status of the subnet group.","type":"string"},"subnets":{"description":"Detailed information about one or more subnets within a subnet group.","type":"array","items":{"description":"Detailed information about a subnet.","type":"object","properties":{"subnetAvailabilityZone":{"description":"Information about an Availability Zone.","type":"object","properties":{"name":{"type":"string"}}},"subnetIdentifier":{"type":"string"},"subnetStatus":{"type":"string"}}}},"supportedNetworkTypes":{"description":"The network type of the DB subnet group.\n\nValid Values: IPV4 | DUAL\n\nA DBSubnetGroup can support only the IPv4 protocol or the IPv4 and the IPv6\nprotocols (DUAL).","type":"array","items":{"type":"string"}},"vpcID":{"description":"Provides the virtual private cloud (VPC) ID of the subnet group.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"documentdb.services.k8s.aws","kind":"DBSubnetGroup","version":"v1alpha1"}],"title":"aws.k8s.services.documentdb.v1alpha1.DBSubnetGroup"},"aws.k8s.services.documentdb.v1alpha1.DBSubnetGroupList":{"description":"DBSubnetGroupList is a list of DBSubnetGroup","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbsubnetgroups. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.documentdb.v1alpha1.DBSubnetGroup"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"documentdb.services.k8s.aws","kind":"DBSubnetGroupList","version":"v1alpha1"}],"title":"aws.k8s.services.documentdb.v1alpha1.DBSubnetGroupList"},"aws.k8s.services.ec2.v1alpha1.CapacityReservation":{"description":"CapacityReservation is the Schema for the CapacityReservations API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"CapacityReservationSpec defines the desired state of CapacityReservation.\n\nDescribes a Capacity Reservation.","type":"object","required":["instanceCount","instancePlatform","instanceType"],"properties":{"additionalInfo":{"description":"Reserved for future use.","type":"string"},"availabilityZone":{"description":"The Availability Zone in which to create the Capacity Reservation.","type":"string"},"availabilityZoneID":{"description":"The ID of the Availability Zone in which to create the Capacity Reservation.","type":"string"},"commitmentDuration":{"description":"Required for future-dated Capacity Reservations only. To create a Capacity\nReservation for immediate use, omit this parameter.\n\nSpecify a commitment duration, in seconds, for the future-dated Capacity\nReservation.\n\nThe commitment duration is a minimum duration for which you commit to having\nthe future-dated Capacity Reservation in the active state in your account\nafter it has been delivered.\n\nFor more information, see Commitment duration (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cr-concepts.html#cr-commitment-duration).","type":"integer","format":"int64"},"deliveryPreference":{"description":"Required for future-dated Capacity Reservations only. To create a Capacity\nReservation for immediate use, omit this parameter.\n\nIndicates that the requested capacity will be delivered in addition to any\nrunning instances or reserved capacity that you have in your account at the\nrequested date and time.\n\nThe only supported value is incremental.","type":"string"},"ebsOptimized":{"description":"Indicates whether the Capacity Reservation supports EBS-optimized instances.\nThis optimization provides dedicated throughput to Amazon EBS and an optimized\nconfiguration stack to provide optimal I/O performance. This optimization\nisn't available with all instance types. Additional usage charges apply when\nusing an EBS- optimized instance.","type":"boolean"},"endDate":{"description":"The date and time at which the Capacity Reservation expires. When a Capacity\nReservation expires, the reserved capacity is released and you can no longer\nlaunch instances into it. The Capacity Reservation's state changes to expired\nwhen it reaches its end date and time.\n\nYou must provide an EndDate value if EndDateType is limited. Omit EndDate\nif EndDateType is unlimited.\n\nIf the EndDateType is limited, the Capacity Reservation is cancelled within\nan hour from the specified time. For example, if you specify 5/31/2019, 13:30:55,\nthe Capacity Reservation is guaranteed to end between 13:30:55 and 14:30:55\non 5/31/2019.\n\nIf you are requesting a future-dated Capacity Reservation, you can't specify\nan end date and time that is within the commitment duration.","type":"string","format":"date-time"},"endDateType":{"description":"Indicates the way in which the Capacity Reservation ends. A Capacity Reservation\ncan have one of the following end types:\n\n  - unlimited - The Capacity Reservation remains active until you explicitly\n    cancel it. Do not provide an EndDate if the EndDateType is unlimited.\n\n  - limited - The Capacity Reservation expires automatically at a specified\n    date and time. You must provide an EndDate value if the EndDateType value\n    is limited.","type":"string"},"ephemeralStorage":{"description":"Deprecated.","type":"boolean"},"instanceCount":{"description":"The number of instances for which to reserve capacity.\n\nYou can request future-dated Capacity Reservations for an instance count\nwith a minimum of 32 vCPUs. For example, if you request a future-dated Capacity\nReservation for m5.xlarge instances, you must request at least 8 instances\n(8 * m5.xlarge = 32 vCPUs).\n\nValid range: 1 - 1000","type":"integer","format":"int64"},"instanceMatchCriteria":{"description":"Indicates the type of instance launches that the Capacity Reservation accepts.\nThe options include:\n\n  - open - The Capacity Reservation automatically matches all instances\n    that have matching attributes (instance type, platform, and Availability\n    Zone). Instances that have matching attributes run in the Capacity Reservation\n    automatically without specifying any additional parameters.\n\n  - targeted - The Capacity Reservation only accepts instances that have\n    matching attributes (instance type, platform, and Availability Zone),\n    and explicitly target the Capacity Reservation. This ensures that only\n    permitted instances can use the reserved capacity.\n\nIf you are requesting a future-dated Capacity Reservation, you must specify\ntargeted.\n\nDefault: open","type":"string"},"instancePlatform":{"description":"The type of operating system for which to reserve capacity.","type":"string"},"instanceType":{"description":"The instance type for which to reserve capacity.\n\nYou can request future-dated Capacity Reservations for instance types in\nthe C, M, R, I, T, and G instance families only.\n\nFor more information, see Instance types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html)\nin the Amazon EC2 User Guide.","type":"string"},"outpostARN":{"description":"Not supported for future-dated Capacity Reservations.\n\nThe Amazon Resource Name (ARN) of the Outpost on which to create the Capacity\nReservation.\n\nRegex Pattern: `^arn:aws([a-z-]+)?:outposts:[a-z\\d-]+:\\d{12}:outpost/op-[a-f0-9]{17}$`","type":"string"},"placementGroupARN":{"description":"Not supported for future-dated Capacity Reservations.\n\nThe Amazon Resource Name (ARN) of the cluster placement group in which to\ncreate the Capacity Reservation. For more information, see Capacity Reservations\nfor cluster placement groups (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cr-cpg.html)\nin the Amazon EC2 User Guide.\n\nRegex Pattern: `^arn:aws([a-z-]+)?:ec2:[a-z\\d-]+:\\d{12}:placement-group/^.{1,255}$`","type":"string"},"startDate":{"description":"Required for future-dated Capacity Reservations only. To create a Capacity\nReservation for immediate use, omit this parameter.\n\nThe date and time at which the future-dated Capacity Reservation should become\navailable for use, in the ISO8601 format in the UTC time zone (YYYY-MM-DDThh:mm:ss.sssZ).\n\nYou can request a future-dated Capacity Reservation between 5 and 120 days\nin advance.","type":"string","format":"date-time"},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"tenancy":{"description":"Indicates the tenancy of the Capacity Reservation. A Capacity Reservation\ncan have one of the following tenancy settings:\n\n  - default - The Capacity Reservation is created on hardware that is shared\n    with other Amazon Web Services accounts.\n\n  - dedicated - The Capacity Reservation is created on single-tenant hardware\n    that is dedicated to a single Amazon Web Services account.","type":"string"}}},"status":{"description":"CapacityReservationStatus defines the observed state of CapacityReservation","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"availableInstanceCount":{"description":"The remaining capacity. Indicates the number of instances that can be launched\nin the Capacity Reservation.","type":"integer","format":"int64"},"capacityAllocations":{"description":"Information about instance capacity usage.","type":"array","items":{"description":"Information about instance capacity usage for a Capacity Reservation.","type":"object","properties":{"allocationType":{"type":"string"},"count":{"type":"integer","format":"int64"}}}},"capacityReservationFleetID":{"description":"The ID of the Capacity Reservation Fleet to which the Capacity Reservation\nbelongs. Only valid for Capacity Reservations that were created by a Capacity\nReservation Fleet.","type":"string"},"capacityReservationID":{"description":"The ID of the Capacity Reservation.","type":"string"},"commitmentInfo":{"description":"Information about your commitment for a future-dated Capacity Reservation.","type":"object","properties":{"commitmentEndDate":{"type":"string","format":"date-time"},"committedInstanceCount":{"type":"integer","format":"int64"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"createDate":{"description":"The date and time the Capacity Reservation was created.","type":"string","format":"date-time"},"ownerID":{"description":"The ID of the Amazon Web Services account that owns the Capacity Reservation.","type":"string"},"reservationType":{"description":"The type of Capacity Reservation.","type":"string"},"state":{"description":"The current state of the Capacity Reservation. A Capacity Reservation can\nbe in one of the following states:\n\n   * active - The capacity is available for use.\n\n   * expired - The Capacity Reservation expired automatically at the date\n   and time specified in your reservation request. The reserved capacity\n   is no longer available for your use.\n\n   * cancelled - The Capacity Reservation was canceled. The reserved capacity\n   is no longer available for your use.\n\n   * pending - The Capacity Reservation request was successful but the capacity\n   provisioning is still pending.\n\n   * failed - The Capacity Reservation request has failed. A request can\n   fail due to request parameters that are not valid, capacity constraints,\n   or instance limit constraints. You can view a failed request for 60 minutes.\n\n   * scheduled - (Future-dated Capacity Reservations) The future-dated Capacity\n   Reservation request was approved and the Capacity Reservation is scheduled\n   for delivery on the requested start date.\n\n   * payment-pending - (Capacity Blocks) The upfront payment has not been\n   processed yet.\n\n   * payment-failed - (Capacity Blocks) The upfront payment was not processed\n   in the 12-hour time frame. Your Capacity Block was released.\n\n   * assessing - (Future-dated Capacity Reservations) Amazon EC2 is assessing\n   your request for a future-dated Capacity Reservation.\n\n   * delayed - (Future-dated Capacity Reservations) Amazon EC2 encountered\n   a delay in provisioning the requested future-dated Capacity Reservation.\n   Amazon EC2 is unable to deliver the requested capacity by the requested\n   start date and time.\n\n   * unsupported - (Future-dated Capacity Reservations) Amazon EC2 can't\n   support the future-dated Capacity Reservation request due to capacity\n   constraints. You can view unsupported requests for 30 days. The Capacity\n   Reservation will not be delivered.","type":"string"},"totalInstanceCount":{"description":"The total number of instances for which the Capacity Reservation reserves\ncapacity.","type":"integer","format":"int64"},"unusedReservationBillingOwnerID":{"description":"The ID of the Amazon Web Services account to which billing of the unused\ncapacity of the Capacity Reservation is assigned.\n\nRegex Pattern: `^[0-9]{12}$`","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"CapacityReservation","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.CapacityReservation"},"aws.k8s.services.ec2.v1alpha1.CapacityReservationList":{"description":"CapacityReservationList is a list of CapacityReservation","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of capacityreservations. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.CapacityReservation"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"CapacityReservationList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.CapacityReservationList"},"aws.k8s.services.ec2.v1alpha1.DHCPOptions":{"description":"DHCPOptions is the Schema for the DHCPOptions API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DhcpOptionsSpec defines the desired state of DhcpOptions.\n\nThe set of DHCP options.","type":"object","required":["dhcpConfigurations"],"properties":{"dhcpConfigurations":{"description":"A DHCP configuration option.","type":"array","items":{"description":"Describes a DHCP configuration option.","type":"object","properties":{"key":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"vpc":{"type":"array","items":{"type":"string"}},"vpcRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}}},"status":{"description":"DHCPOptionsStatus defines the observed state of DHCPOptions","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"dhcpOptionsID":{"description":"The ID of the set of DHCP options.","type":"string"},"ownerID":{"description":"The ID of the Amazon Web Services account that owns the DHCP options set.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"DHCPOptions","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.DHCPOptions"},"aws.k8s.services.ec2.v1alpha1.DHCPOptionsList":{"description":"DHCPOptionsList is a list of DHCPOptions","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dhcpoptions. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.DHCPOptions"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"DHCPOptionsList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.DHCPOptionsList"},"aws.k8s.services.ec2.v1alpha1.ElasticIPAddress":{"description":"ElasticIPAddress is the Schema for the ElasticIPAddresses API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ElasticIPAddressSpec defines the desired state of ElasticIPAddress.","type":"object","properties":{"address":{"description":"The Elastic IP address to recover or an IPv4 address from an address pool.","type":"string"},"customerOwnedIPv4Pool":{"description":"The ID of a customer-owned address pool. Use this parameter to let Amazon\nEC2 select an address from the address pool. Alternatively, specify a specific\naddress from the address pool.","type":"string"},"networkBorderGroup":{"description":"A unique set of Availability Zones, Local Zones, or Wavelength Zones from\nwhich Amazon Web Services advertises IP addresses. Use this parameter to\nlimit the IP address to this location. IP addresses cannot move between network\nborder groups.","type":"string"},"publicIPv4Pool":{"description":"The ID of an address pool that you own. Use this parameter to let Amazon\nEC2 select an address from the address pool. To specify a specific address\nfrom the address pool, use the Address parameter instead.","type":"string"},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"ElasticIPAddressStatus defines the observed state of ElasticIPAddress","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"allocationID":{"description":"The ID that represents the allocation of the Elastic IP address.","type":"string"},"carrierIP":{"description":"The carrier IP address. Available only for network interfaces that reside\nin a subnet in a Wavelength Zone.","type":"string"},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"customerOwnedIP":{"description":"The customer-owned IP address.","type":"string"},"publicIP":{"description":"The Amazon-owned IP address. Not available when using an address pool that\nyou own.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"ElasticIPAddress","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.ElasticIPAddress"},"aws.k8s.services.ec2.v1alpha1.ElasticIPAddressList":{"description":"ElasticIPAddressList is a list of ElasticIPAddress","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of elasticipaddresses. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.ElasticIPAddress"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"ElasticIPAddressList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.ElasticIPAddressList"},"aws.k8s.services.ec2.v1alpha1.FlowLog":{"description":"FlowLog is the Schema for the FlowLogs API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"FlowLogSpec defines the desired state of FlowLog.\n\nDescribes a flow log.","type":"object","required":["resourceID","resourceType"],"properties":{"deliverLogsPermissionARN":{"description":"The ARN of the IAM role that allows Amazon EC2 to publish flow logs to the\nlog destination.\n\nThis parameter is required if the destination type is cloud-watch-logs, or\nif the destination type is kinesis-data-firehose and the delivery stream\nand the resources to monitor are in different accounts.","type":"string"},"destinationOptions":{"description":"The destination options.","type":"object","properties":{"fileFormat":{"type":"string"},"hiveCompatiblePartitions":{"type":"boolean"},"perHourPartition":{"type":"boolean"}}},"logDestination":{"description":"The destination for the flow log data. The meaning of this parameter depends\non the destination type.\n\n  - If the destination type is cloud-watch-logs, specify the ARN of a CloudWatch\n    Logs log group. For example: arn:aws:logs:region:account_id:log-group:my_group\n    Alternatively, use the LogGroupName parameter.\n\n  - If the destination type is s3, specify the ARN of an S3 bucket. For\n    example: arn:aws:s3:::my_bucket/my_subfolder/ The subfolder is optional.\n    Note that you can't use AWSLogs as a subfolder name.\n\n  - If the destination type is kinesis-data-firehose, specify the ARN of\n    a Kinesis Data Firehose delivery stream. For example: arn:aws:firehose:region:account_id:deliverystream:my_stream","type":"string"},"logDestinationType":{"description":"The type of destination for the flow log data.\n\nDefault: cloud-watch-logs","type":"string"},"logFormat":{"description":"The fields to include in the flow log record. List the fields in the order\nin which they should appear. If you omit this parameter, the flow log is\ncreated using the default format. If you specify this parameter, you must\ninclude at least one field. For more information about the available fields,\nsee Flow log records (https://docs.aws.amazon.com/vpc/latest/userguide/flow-log-records.html)\nin the Amazon VPC User Guide or Transit Gateway Flow Log records (https://docs.aws.amazon.com/vpc/latest/tgw/tgw-flow-logs.html#flow-log-records)\nin the Amazon Web Services Transit Gateway Guide.\n\nSpecify the fields using the ${field-id} format, separated by spaces.","type":"string"},"logGroupName":{"description":"The name of a new or existing CloudWatch Logs log group where Amazon EC2\npublishes your flow logs.\n\nThis parameter is valid only if the destination type is cloud-watch-logs.","type":"string"},"maxAggregationInterval":{"description":"The maximum interval of time during which a flow of packets is captured and\naggregated into a flow log record. The possible values are 60 seconds (1\nminute) or 600 seconds (10 minutes). This parameter must be 60 seconds for\ntransit gateway resource types.\n\nWhen a network interface is attached to a Nitro-based instance (https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html),\nthe aggregation interval is always 60 seconds or less, regardless of the\nvalue that you specify.\n\nDefault: 600","type":"integer","format":"int64"},"resourceID":{"type":"string"},"resourceType":{"description":"The type of resource to monitor.","type":"string"},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"trafficType":{"description":"The type of traffic to monitor (accepted traffic, rejected traffic, or all\ntraffic). This parameter is not supported for transit gateway resource types.\nIt is required for the other resource types.","type":"string"}}},"status":{"description":"FlowLogStatus defines the observed state of FlowLog","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"clientToken":{"description":"Unique, case-sensitive identifier that you provide to ensure the idempotency\nof the request.","type":"string"},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"flowLogID":{"type":"string"},"unsuccessful":{"description":"Information about the flow logs that could not be created successfully.","type":"array","items":{"description":"Information about items that were not successfully processed in a batch call.","type":"object","properties":{"error":{"description":"Information about the error that occurred. For more information about errors,\nsee Error codes (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/errors-overview.html).","type":"object","properties":{"code":{"type":"string"},"message":{"type":"string"}}},"resourceID":{"type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"FlowLog","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.FlowLog"},"aws.k8s.services.ec2.v1alpha1.FlowLogList":{"description":"FlowLogList is a list of FlowLog","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of flowlogs. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.FlowLog"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"FlowLogList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.FlowLogList"},"aws.k8s.services.ec2.v1alpha1.Instance":{"description":"Instance is the Schema for the Instances API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"InstanceSpec defines the desired state of Instance.\n\nDescribes an instance.","type":"object","properties":{"blockDeviceMappings":{"description":"The block device mapping, which defines the EBS volumes and instance store\nvolumes to attach to the instance at launch. For more information, see Block\ndevice mappings (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html)\nin the Amazon EC2 User Guide.","type":"array","items":{"description":"Describes a block device mapping, which defines the EBS volumes and instance\nstore volumes to attach to an instance at launch.","type":"object","properties":{"deviceName":{"type":"string"},"ebs":{"description":"Describes a block device for an EBS volume.","type":"object","properties":{"deleteOnTermination":{"type":"boolean"},"encrypted":{"type":"boolean"},"iops":{"type":"integer","format":"int64"},"kmsKeyID":{"type":"string"},"outpostARN":{"type":"string"},"snapshotID":{"type":"string"},"throughput":{"type":"integer","format":"int64"},"volumeSize":{"type":"integer","format":"int64"},"volumeType":{"type":"string"}}},"noDevice":{"type":"string"},"virtualName":{"type":"string"}}}},"capacityReservationSpecification":{"description":"Information about the Capacity Reservation targeting option. If you do not\nspecify this parameter, the instance's Capacity Reservation preference defaults\nto open, which enables it to run in any open Capacity Reservation that has\nmatching attributes (instance type, platform, Availability Zone, and tenancy).","type":"object","properties":{"capacityReservationPreference":{"type":"string"},"capacityReservationTarget":{"description":"Describes a target Capacity Reservation or Capacity Reservation group.","type":"object","properties":{"capacityReservationID":{"type":"string"},"capacityReservationResourceGroupARN":{"type":"string"}}}}},"cpuOptions":{"description":"The CPU options for the instance. For more information, see Optimize CPU\noptions (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-optimize-cpu.html)\nin the Amazon EC2 User Guide.","type":"object","properties":{"coreCount":{"type":"integer","format":"int64"},"threadsPerCore":{"type":"integer","format":"int64"}}},"creditSpecification":{"description":"The credit option for CPU usage of the burstable performance instance. Valid\nvalues are standard and unlimited. To change this attribute after launch,\nuse ModifyInstanceCreditSpecification (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceCreditSpecification.html).\nFor more information, see Burstable performance instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html)\nin the Amazon EC2 User Guide.\n\nDefault: standard (T2 instances) or unlimited (T3/T3a/T4g instances)\n\nFor T3 instances with host tenancy, only standard is supported.","type":"object","properties":{"cpuCredits":{"type":"string"}}},"disableAPIStop":{"description":"Indicates whether an instance is enabled for stop protection. For more information,\nsee Enable stop protection for your EC2 instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-stop-protection.html).","type":"boolean"},"disableAPITermination":{"description":"Indicates whether termination protection is enabled for the instance. The\ndefault is false, which means that you can terminate the instance using the\nAmazon EC2 console, command line tools, or API. You can enable termination\nprotection when you launch an instance, while the instance is running, or\nwhile the instance is stopped.","type":"boolean"},"ebsOptimized":{"description":"Indicates whether the instance is optimized for Amazon EBS I/O. This optimization\nprovides dedicated throughput to Amazon EBS and an optimized configuration\nstack to provide optimal Amazon EBS I/O performance. This optimization isn't\navailable with all instance types. Additional usage charges apply when using\nan EBS-optimized instance.\n\nDefault: false","type":"boolean"},"elasticGPUSpecification":{"description":"An elastic GPU to associate with the instance.\n\nAmazon Elastic Graphics reached end of life on January 8, 2024.","type":"array","items":{"description":"Amazon Elastic Graphics reached end of life on January 8, 2024.\n\nA specification for an Elastic Graphics accelerator.","type":"object","properties":{"type":{"type":"string"}}}},"elasticInferenceAccelerators":{"description":"An elastic inference accelerator to associate with the instance.\n\nAmazon Elastic Inference is no longer available.","type":"array","items":{"description":"Amazon Elastic Inference is no longer available.\n\nDescribes an elastic inference accelerator.","type":"object","properties":{"count":{"type":"integer","format":"int64"},"type_":{"type":"string"}}}},"enclaveOptions":{"description":"Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves.\nFor more information, see Amazon Web Services Nitro Enclaves User Guide (https://docs.aws.amazon.com/enclaves/latest/user/).\n\nYou can't enable Amazon Web Services Nitro Enclaves and hibernation on the\nsame instance.","type":"object","properties":{"enabled":{"type":"boolean"}}},"hibernationOptions":{"description":"Indicates whether an instance is enabled for hibernation. This parameter\nis valid only if the instance meets the hibernation prerequisites (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernating-prerequisites.html).\nFor more information, see Hibernate your Amazon EC2 instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html)\nin the Amazon EC2 User Guide.\n\nYou can't enable hibernation and Amazon Web Services Nitro Enclaves on the\nsame instance.","type":"object","properties":{"configured":{"type":"boolean"}}},"iamInstanceProfile":{"description":"The name or Amazon Resource Name (ARN) of an IAM instance profile.","type":"object","properties":{"arn":{"type":"string"},"name":{"type":"string"}}},"imageID":{"description":"The ID of the AMI. An AMI ID is required to launch an instance and must be\nspecified here or in a launch template.","type":"string"},"instanceInitiatedShutdownBehavior":{"description":"Indicates whether an instance stops or terminates when you initiate shutdown\nfrom the instance (using the operating system command for system shutdown).\n\nDefault: stop","type":"string"},"instanceMarketOptions":{"description":"The market (purchasing) option for the instances.\n\nFor RunInstances, persistent Spot Instance requests are only supported when\nInstanceInterruptionBehavior is set to either hibernate or stop.","type":"object","properties":{"marketType":{"type":"string"},"spotOptions":{"description":"The options for Spot Instances.","type":"object","properties":{"blockDurationMinutes":{"type":"integer","format":"int64"},"instanceInterruptionBehavior":{"type":"string"},"maxPrice":{"type":"string"},"spotInstanceType":{"type":"string"},"validUntil":{"type":"string","format":"date-time"}}}}},"instanceType":{"description":"The instance type. For more information, see Amazon EC2 Instance Types Guide\n(https://docs.aws.amazon.com/ec2/latest/instancetypes/instance-types.html).","type":"string"},"ipv6AddressCount":{"description":"The number of IPv6 addresses to associate with the primary network interface.\nAmazon EC2 chooses the IPv6 addresses from the range of your subnet. You\ncannot specify this option and the option to assign specific IPv6 addresses\nin the same request. You can specify this option if you've specified a minimum\nnumber of instances to launch.\n\nYou cannot specify this option and the network interfaces option in the same\nrequest.","type":"integer","format":"int64"},"ipv6Addresses":{"description":"The IPv6 addresses from the range of the subnet to associate with the primary\nnetwork interface. You cannot specify this option and the option to assign\na number of IPv6 addresses in the same request. You cannot specify this option\nif you've specified a minimum number of instances to launch.\n\nYou cannot specify this option and the network interfaces option in the same\nrequest.","type":"array","items":{"description":"Describes an IPv6 address.","type":"object","properties":{"ipv6Address":{"type":"string"}}}},"kernelID":{"description":"The ID of the kernel.\n\nWe recommend that you use PV-GRUB instead of kernels and RAM disks. For more\ninformation, see PV-GRUB (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedkernels.html)\nin the Amazon EC2 User Guide.","type":"string"},"keyName":{"description":"The name of the key pair. For more information, see Create a key pair for\nyour EC2 instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html).\n\nIf you do not specify a key pair, you can't connect to the instance unless\nyou choose an AMI that is configured to allow users another way to log in.","type":"string"},"launchTemplate":{"description":"The launch template. Any additional parameters that you specify for the new\ninstance overwrite the corresponding parameters included in the launch template.","type":"object","properties":{"launchTemplateID":{"type":"string"},"launchTemplateName":{"type":"string"},"launchTemplateRef":{"description":"Reference field for LaunchTemplateID","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"version":{"type":"string"}}},"licenseSpecifications":{"description":"The license configurations.","type":"array","items":{"description":"Describes a license configuration.","type":"object","properties":{"licenseConfigurationARN":{"type":"string"}}}},"maintenanceOptions":{"description":"The maintenance and recovery options for the instance.","type":"object","properties":{"autoRecovery":{"type":"string"}}},"maxCount":{"description":"The maximum number of instances to launch. If you specify a value that is\nmore capacity than Amazon EC2 can launch in the target Availability Zone,\nAmazon EC2 launches the largest possible number of instances above the specified\nminimum count.\n\nConstraints: Between 1 and the quota for the specified instance type for\nyour account for this Region. For more information, see Amazon EC2 instance\ntype quotas (https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-instance-quotas.html).","type":"integer","format":"int64"},"metadataOptions":{"description":"The metadata options for the instance. For more information, see Configure\nthe Instance Metadata Service options (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html).","type":"object","properties":{"httpEndpoint":{"type":"string"},"httpProtocolIPv6":{"type":"string"},"httpPutResponseHopLimit":{"type":"integer","format":"int64"},"httpTokens":{"type":"string"},"instanceMetadataTags":{"type":"string"}}},"minCount":{"description":"The minimum number of instances to launch. If you specify a value that is\nmore capacity than Amazon EC2 can provide in the target Availability Zone,\nAmazon EC2 does not launch any instances.\n\nConstraints: Between 1 and the quota for the specified instance type for\nyour account for this Region. For more information, see Amazon EC2 instance\ntype quotas (https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-instance-quotas.html).","type":"integer","format":"int64"},"monitoring":{"description":"Specifies whether detailed monitoring is enabled for the instance.","type":"object","properties":{"enabled":{"type":"boolean"}}},"networkInterfaces":{"description":"The network interfaces to associate with the instance.","type":"array","items":{"description":"Describes a network interface.","type":"object","properties":{"associateCarrierIPAddress":{"type":"boolean"},"associatePublicIPAddress":{"type":"boolean"},"deleteOnTermination":{"type":"boolean"},"description":{"type":"string"},"deviceIndex":{"type":"integer","format":"int64"},"interfaceType":{"type":"string"},"ipv4PrefixCount":{"type":"integer","format":"int64"},"ipv4Prefixes":{"type":"array","items":{"description":"Describes the IPv4 prefix option for a network interface.","type":"object","properties":{"ipv4Prefix":{"type":"string"}}}},"ipv6AddressCount":{"type":"integer","format":"int64"},"ipv6Addresses":{"type":"array","items":{"description":"Describes an IPv6 address.","type":"object","properties":{"ipv6Address":{"type":"string"}}}},"ipv6PrefixCount":{"type":"integer","format":"int64"},"ipv6Prefixes":{"type":"array","items":{"description":"Describes the IPv6 prefix option for a network interface.","type":"object","properties":{"ipv6Prefix":{"type":"string"}}}},"networkCardIndex":{"type":"integer","format":"int64"},"networkInterfaceID":{"type":"string"},"privateIPAddress":{"type":"string"},"privateIPAddresses":{"type":"array","items":{"description":"Describes a secondary private IPv4 address for a network interface.","type":"object","properties":{"primary":{"type":"boolean"},"privateIPAddress":{"type":"string"}}}},"secondaryPrivateIPAddressCount":{"type":"integer","format":"int64"},"subnetID":{"type":"string"}}}},"placement":{"description":"The placement for the instance.","type":"object","properties":{"affinity":{"type":"string"},"availabilityZone":{"type":"string"},"groupName":{"type":"string"},"hostID":{"type":"string"},"hostResourceGroupARN":{"type":"string"},"partitionNumber":{"type":"integer","format":"int64"},"spreadDomain":{"type":"string"},"tenancy":{"type":"string"}}},"privateDNSNameOptions":{"description":"The options for the instance hostname. The default values are inherited from\nthe subnet. Applies only if creating a network interface, not attaching an\nexisting one.","type":"object","properties":{"enableResourceNameDNSAAAARecord":{"type":"boolean"},"enableResourceNameDNSARecord":{"type":"boolean"},"hostnameType":{"type":"string"}}},"privateIPAddress":{"description":"The primary IPv4 address. You must specify a value from the IPv4 address\nrange of the subnet.\n\nOnly one private IP address can be designated as primary. You can't specify\nthis option if you've specified the option to designate a private IP address\nas the primary IP address in a network interface specification. You cannot\nspecify this option if you're launching more than one instance in the request.\n\nYou cannot specify this option and the network interfaces option in the same\nrequest.","type":"string"},"ramDiskID":{"description":"The ID of the RAM disk to select. Some kernels require additional drivers\nat launch. Check the kernel requirements for information about whether you\nneed to specify a RAM disk. To find kernel requirements, go to the Amazon\nWeb Services Resource Center and search for the kernel ID.\n\nWe recommend that you use PV-GRUB instead of kernels and RAM disks. For more\ninformation, see PV-GRUB (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedkernels.html)\nin the Amazon EC2 User Guide.","type":"string"},"securityGroupIDs":{"description":"The IDs of the security groups.\n\nIf you specify a network interface, you must specify any security groups\nas part of the network interface instead of using this parameter.","type":"array","items":{"type":"string"}},"securityGroups":{"description":"[Default VPC] The names of the security groups.\n\nIf you specify a network interface, you must specify any security groups\nas part of the network interface instead of using this parameter.\n\nDefault: Amazon EC2 uses the default security group.","type":"array","items":{"type":"string"}},"subnetID":{"description":"The ID of the subnet to launch the instance into.\n\nIf you specify a network interface, you must specify any subnets as part\nof the network interface instead of using this parameter.","type":"string"},"subnetRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"userData":{"description":"The user data to make available to the instance. User data must be base64-encoded.\nDepending on the tool or SDK that you're using, the base64-encoding might\nbe performed for you. For more information, see Run commands at launch using\ninstance user data (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html).","type":"string"}}},"status":{"description":"InstanceStatus defines the observed state of Instance","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"amiLaunchIndex":{"description":"The AMI launch index, which can be used to find this instance in the launch\ngroup.","type":"integer","format":"int64"},"architecture":{"description":"The architecture of the image.","type":"string"},"bootMode":{"description":"The boot mode that was specified by the AMI. If the value is uefi-preferred,\nthe AMI supports both UEFI and Legacy BIOS. The currentInstanceBootMode parameter\nis the boot mode that is used to boot the instance at launch or start.\n\nThe operating system contained in the AMI must be configured to support the\nspecified boot mode.\n\nFor more information, see Boot modes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-boot.html)\nin the Amazon EC2 User Guide.","type":"string"},"capacityReservationID":{"description":"The ID of the Capacity Reservation.","type":"string"},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"elasticGPUAssociations":{"description":"Deprecated.\n\nAmazon Elastic Graphics reached end of life on January 8, 2024.","type":"array","items":{"description":"Amazon Elastic Graphics reached end of life on January 8, 2024.\n\nDescribes the association between an instance and an Elastic Graphics accelerator.","type":"object","properties":{"elasticGPUAssociationID":{"type":"string"},"elasticGPUAssociationState":{"type":"string"},"elasticGPUAssociationTime":{"type":"string"},"elasticGPUID":{"type":"string"}}}},"elasticInferenceAcceleratorAssociations":{"description":"Deprecated\n\nAmazon Elastic Inference is no longer available.","type":"array","items":{"description":"Amazon Elastic Inference is no longer available.\n\nDescribes the association between an instance and an elastic inference accelerator.","type":"object","properties":{"elasticInferenceAcceleratorARN":{"type":"string"},"elasticInferenceAcceleratorAssociationID":{"type":"string"},"elasticInferenceAcceleratorAssociationState":{"type":"string"},"elasticInferenceAcceleratorAssociationTime":{"type":"string","format":"date-time"}}}},"enaSupport":{"description":"Specifies whether enhanced networking with ENA is enabled.","type":"boolean"},"hypervisor":{"description":"The hypervisor type of the instance. The value xen is used for both Xen and\nNitro hypervisors.","type":"string"},"instanceID":{"description":"The ID of the instance.","type":"string"},"instanceLifecycle":{"description":"Indicates whether this is a Spot Instance or a Scheduled Instance.","type":"string"},"ipv6Address":{"description":"The IPv6 address assigned to the instance.","type":"string"},"launchTime":{"description":"The time that the instance was last launched. To determine the time that\ninstance was first launched, see the attachment time for the primary network\ninterface.","type":"string","format":"date-time"},"licenses":{"description":"The license configurations for the instance.","type":"array","items":{"description":"Describes a license configuration.","type":"object","properties":{"licenseConfigurationARN":{"type":"string"}}}},"outpostARN":{"description":"The Amazon Resource Name (ARN) of the Outpost.","type":"string"},"platform":{"description":"The platform. This value is windows for Windows instances; otherwise, it\nis empty.","type":"string"},"platformDetails":{"description":"The platform details value for the instance. For more information, see AMI\nbilling information fields (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/billing-info-fields.html)\nin the Amazon EC2 User Guide.","type":"string"},"privateDNSName":{"description":"[IPv4 only] The private DNS hostname name assigned to the instance. This\nDNS hostname can only be used inside the Amazon EC2 network. This name is\nnot available until the instance enters the running state.\n\nThe Amazon-provided DNS server resolves Amazon-provided private DNS hostnames\nif you've enabled DNS resolution and DNS hostnames in your VPC. If you are\nnot using the Amazon-provided DNS server in your VPC, your custom domain\nname servers must resolve the hostname as appropriate.","type":"string"},"productCodes":{"description":"The product codes attached to this instance, if applicable.","type":"array","items":{"description":"Describes a product code.","type":"object","properties":{"productCodeID":{"type":"string"},"productCodeType":{"type":"string"}}}},"publicDNSName":{"description":"The public DNS name assigned to the instance. This name is not available\nuntil the instance enters the running state. This name is only available\nif you've enabled DNS hostnames for your VPC. The format of this name depends\non the public hostname type (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hostname-types.html#public-hostnames).","type":"string"},"publicIPAddress":{"description":"The public IPv4 address, or the Carrier IP address assigned to the instance,\nif applicable.\n\nA Carrier IP address only applies to an instance launched in a subnet associated\nwith a Wavelength Zone.","type":"string"},"rootDeviceName":{"description":"The device name of the root device volume (for example, /dev/sda1).","type":"string"},"rootDeviceType":{"description":"The root device type used by the AMI. The AMI can use an EBS volume or an\ninstance store volume.","type":"string"},"sourceDestCheck":{"description":"Indicates whether source/destination checking is enabled.","type":"boolean"},"spotInstanceRequestID":{"description":"If the request is a Spot Instance request, the ID of the request.","type":"string"},"sriovNetSupport":{"description":"Specifies whether enhanced networking with the Intel 82599 Virtual Function\ninterface is enabled.","type":"string"},"state":{"description":"The current state of the instance.","type":"object","properties":{"code":{"type":"integer","format":"int64"},"name":{"type":"string"}}},"stateReason":{"description":"The reason for the most recent state transition.","type":"object","properties":{"code":{"type":"string"},"message":{"type":"string"}}},"stateTransitionReason":{"description":"The reason for the most recent state transition. This might be an empty string.","type":"string"},"tpmSupport":{"description":"If the instance is configured for NitroTPM support, the value is v2.0. For\nmore information, see NitroTPM (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html)\nin the Amazon EC2 User Guide.","type":"string"},"usageOperation":{"description":"The usage operation value for the instance. For more information, see AMI\nbilling information fields (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/billing-info-fields.html)\nin the Amazon EC2 User Guide.","type":"string"},"usageOperationUpdateTime":{"description":"The time that the usage operation was last updated.","type":"string","format":"date-time"},"virtualizationType":{"description":"The virtualization type of the instance.","type":"string"},"vpcID":{"description":"The ID of the VPC in which the instance is running.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"Instance","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.Instance"},"aws.k8s.services.ec2.v1alpha1.InstanceList":{"description":"InstanceList is a list of Instance","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of instances. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.Instance"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"InstanceList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.InstanceList"},"aws.k8s.services.ec2.v1alpha1.InternetGateway":{"description":"InternetGateway is the Schema for the InternetGateways API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"InternetGatewaySpec defines the desired state of InternetGateway.\n\nDescribes an internet gateway.","type":"object","properties":{"routeTableRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}},"routeTables":{"type":"array","items":{"type":"string"}},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"vpc":{"description":"The ID of the VPC.","type":"string"},"vpcRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}},"status":{"description":"InternetGatewayStatus defines the observed state of InternetGateway","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"attachments":{"description":"Any VPCs attached to the internet gateway.","type":"array","items":{"description":"Describes the attachment of a VPC to an internet gateway or an egress-only\ninternet gateway.","type":"object","properties":{"state":{"type":"string"},"vpcID":{"type":"string"}}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"internetGatewayID":{"description":"The ID of the internet gateway.","type":"string"},"ownerID":{"description":"The ID of the Amazon Web Services account that owns the internet gateway.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"InternetGateway","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.InternetGateway"},"aws.k8s.services.ec2.v1alpha1.InternetGatewayList":{"description":"InternetGatewayList is a list of InternetGateway","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of internetgateways. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.InternetGateway"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"InternetGatewayList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.InternetGatewayList"},"aws.k8s.services.ec2.v1alpha1.LaunchTemplate":{"description":"LaunchTemplate is the Schema for the LaunchTemplates API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"LaunchTemplateSpec defines the desired state of LaunchTemplate.\n\nDescribes a launch template.","type":"object","required":["data","name"],"properties":{"data":{"description":"The information for the launch template.","type":"object","properties":{"blockDeviceMappings":{"type":"array","items":{"description":"Describes a block device mapping.","type":"object","properties":{"deviceName":{"type":"string"},"ebs":{"description":"The parameters for a block device for an EBS volume.","type":"object","properties":{"deleteOnTermination":{"type":"boolean"},"encrypted":{"type":"boolean"},"iops":{"type":"integer","format":"int64"},"kmsKeyID":{"type":"string"},"snapshotID":{"type":"string"},"throughput":{"type":"integer","format":"int64"},"volumeSize":{"type":"integer","format":"int64"},"volumeType":{"type":"string"}}},"noDevice":{"type":"string"},"virtualName":{"type":"string"}}}},"capacityReservationSpecification":{"description":"Describes an instance's Capacity Reservation targeting option. You can specify\nonly one option at a time. Use the CapacityReservationPreference parameter\nto configure the instance to run in On-Demand capacity or to run in any open\nCapacity Reservation that has matching attributes (instance type, platform,\nAvailability Zone). Use the CapacityReservationTarget parameter to explicitly\ntarget a specific Capacity Reservation or a Capacity Reservation group.","type":"object","properties":{"capacityReservationPreference":{"type":"string"},"capacityReservationTarget":{"description":"Describes a target Capacity Reservation or Capacity Reservation group.","type":"object","properties":{"capacityReservationID":{"type":"string"},"capacityReservationResourceGroupARN":{"type":"string"}}}}},"cpuOptions":{"description":"The CPU options for the instance. Both the core count and threads per core\nmust be specified in the request.","type":"object","properties":{"amdSevSnp":{"type":"string"},"coreCount":{"type":"integer","format":"int64"},"threadsPerCore":{"type":"integer","format":"int64"}}},"creditSpecification":{"description":"The credit option for CPU usage of a T instance.","type":"object","properties":{"cpuCredits":{"type":"string"}}},"disableAPIStop":{"type":"boolean"},"disableAPITermination":{"type":"boolean"},"ebsOptimized":{"type":"boolean"},"elasticGPUSpecifications":{"type":"array","items":{"description":"Amazon Elastic Graphics reached end of life on January 8, 2024.\n\nA specification for an Elastic Graphics accelerator.","type":"object","properties":{"type":{"type":"string"}}}},"elasticInferenceAccelerators":{"type":"array","items":{"description":"Amazon Elastic Inference is no longer available.\n\nDescribes an elastic inference accelerator.","type":"object","properties":{"count":{"type":"integer","format":"int64"},"type":{"type":"string"}}}},"enclaveOptions":{"description":"Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves.\nFor more information, see What is Nitro Enclaves? (https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html)\nin the Amazon Web Services Nitro Enclaves User Guide.","type":"object","properties":{"enabled":{"type":"boolean"}}},"hibernationOptions":{"description":"Indicates whether the instance is configured for hibernation. This parameter\nis valid only if the instance meets the hibernation prerequisites (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernating-prerequisites.html).","type":"object","properties":{"configured":{"type":"boolean"}}},"iamInstanceProfile":{"description":"An IAM instance profile.","type":"object","properties":{"arn":{"type":"string"},"name":{"type":"string"}}},"imageID":{"type":"string"},"instanceInitiatedShutdownBehavior":{"type":"string"},"instanceMarketOptions":{"description":"The market (purchasing) option for the instances.","type":"object","properties":{"marketType":{"type":"string"},"spotOptions":{"description":"The options for Spot Instances.","type":"object","properties":{"blockDurationMinutes":{"type":"integer","format":"int64"},"instanceInterruptionBehavior":{"type":"string"},"maxPrice":{"type":"string"},"spotInstanceType":{"type":"string"},"validUntil":{"type":"string","format":"date-time"}}}}},"instanceRequirements":{"description":"The attributes for the instance types. When you specify instance attributes,\nAmazon EC2 will identify instance types with these attributes.\n\nYou must specify VCpuCount and MemoryMiB. All other attributes are optional.\nAny unspecified optional attribute is set to its default.\n\nWhen you specify multiple attributes, you get instance types that satisfy\nall of the specified attributes. If you specify multiple values for an attribute,\nyou get instance types that satisfy any of the specified values.\n\nTo limit the list of instance types from which Amazon EC2 can identify matching\ninstance types, you can use one of the following parameters, but not both\nin the same request:\n\n   * AllowedInstanceTypes - The instance types to include in the list. All\n   other instance types are ignored, even if they match your specified attributes.\n\n   * ExcludedInstanceTypes - The instance types to exclude from the list,\n   even if they match your specified attributes.\n\nIf you specify InstanceRequirements, you can't specify InstanceType.\n\nAttribute-based instance type selection is only supported when using Auto\nScaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan\nto use the launch template in the launch instance wizard (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html),\nor with the RunInstances (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html)\nAPI or AWS::EC2::Instance (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html)\nAmazon Web Services CloudFormation resource, you can't specify InstanceRequirements.\n\nFor more information, see Specify attributes for instance type selection\nfor EC2 Fleet or Spot Fleet (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html)\nand Spot placement score (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html)\nin the Amazon EC2 User Guide.","type":"object","properties":{"acceleratorCount":{"description":"The minimum and maximum number of accelerators (GPUs, FPGAs, or Amazon Web\nServices Inferentia chips) on an instance. To exclude accelerator-enabled\ninstance types, set Max to 0.","type":"object","properties":{"max":{"type":"integer","format":"int64"},"min":{"type":"integer","format":"int64"}}},"acceleratorManufacturers":{"type":"array","items":{"type":"string"}},"acceleratorNames":{"type":"array","items":{"type":"string"}},"acceleratorTotalMemoryMiB":{"description":"The minimum and maximum amount of total accelerator memory, in MiB.","type":"object","properties":{"max":{"type":"integer","format":"int64"},"min":{"type":"integer","format":"int64"}}},"acceleratorTypes":{"type":"array","items":{"type":"string"}},"allowedInstanceTypes":{"type":"array","items":{"type":"string"}},"bareMetal":{"type":"string"},"baselineEBSBandwidthMbps":{"description":"The minimum and maximum baseline bandwidth to Amazon EBS, in Mbps. For more\ninformation, see Amazon EBS–optimized instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html)\nin the Amazon EC2 User Guide.","type":"object","properties":{"max":{"type":"integer","format":"int64"},"min":{"type":"integer","format":"int64"}}},"baselinePerformanceFactors":{"description":"The baseline performance to consider, using an instance family as a baseline\nreference. The instance family establishes the lowest acceptable level of\nperformance. Amazon EC2 uses this baseline to guide instance type selection,\nbut there is no guarantee that the selected instance types will always exceed\nthe baseline for every application.\n\nCurrently, this parameter only supports CPU performance as a baseline performance\nfactor. For example, specifying c6i would use the CPU performance of the\nc6i family as the baseline reference.","type":"object","properties":{"cpu":{"description":"The CPU performance to consider, using an instance family as the baseline\nreference.","type":"object","properties":{"references":{"type":"array","items":{"description":"Specify an instance family to use as the baseline reference for CPU performance.\nAll instance types that match your specified attributes will be compared\nagainst the CPU performance of the referenced instance family, regardless\nof CPU manufacturer or architecture.\n\nCurrently, only one instance family can be specified in the list.","type":"object","properties":{"instanceFamily":{"type":"string"}}}}}}}},"burstablePerformance":{"type":"string"},"cpuManufacturers":{"type":"array","items":{"type":"string"}},"excludedInstanceTypes":{"type":"array","items":{"type":"string"}},"instanceGenerations":{"type":"array","items":{"type":"string"}},"localStorage":{"type":"string"},"localStorageTypes":{"type":"array","items":{"type":"string"}},"maxSpotPriceAsPercentageOfOptimalOnDemandPrice":{"type":"integer","format":"int64"},"memoryGiBPerVCPU":{"description":"The minimum and maximum amount of memory per vCPU, in GiB.","type":"object","properties":{"max":{"type":"number"},"min":{"type":"number"}}},"memoryMiB":{"description":"The minimum and maximum amount of memory, in MiB.","type":"object","properties":{"max":{"type":"integer","format":"int64"},"min":{"type":"integer","format":"int64"}}},"networkBandwidthGbps":{"description":"The minimum and maximum amount of network bandwidth, in gigabits per second\n(Gbps).\n\nSetting the minimum bandwidth does not guarantee that your instance will\nachieve the minimum bandwidth. Amazon EC2 will identify instance types that\nsupport the specified minimum bandwidth, but the actual bandwidth of your\ninstance might go below the specified minimum at times. For more information,\nsee Available instance bandwidth (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-network-bandwidth.html#available-instance-bandwidth)\nin the Amazon EC2 User Guide.","type":"object","properties":{"max":{"type":"number"},"min":{"type":"number"}}},"networkInterfaceCount":{"description":"The minimum and maximum number of network interfaces.","type":"object","properties":{"max":{"type":"integer","format":"int64"},"min":{"type":"integer","format":"int64"}}},"onDemandMaxPricePercentageOverLowestPrice":{"type":"integer","format":"int64"},"requireHibernateSupport":{"type":"boolean"},"spotMaxPricePercentageOverLowestPrice":{"type":"integer","format":"int64"},"totalLocalStorageGB":{"description":"The minimum and maximum amount of total local storage, in GB.","type":"object","properties":{"max":{"type":"number"},"min":{"type":"number"}}},"vCPUCount":{"description":"The minimum and maximum number of vCPUs.","type":"object","properties":{"max":{"type":"integer","format":"int64"},"min":{"type":"integer","format":"int64"}}}}},"instanceType":{"type":"string"},"kernelID":{"type":"string"},"keyName":{"type":"string"},"licenseSpecifications":{"type":"array","items":{"description":"Describes a license configuration.","type":"object","properties":{"licenseConfigurationARN":{"type":"string"}}}},"maintenanceOptions":{"description":"The maintenance options of your instance.","type":"object","properties":{"autoRecovery":{"type":"string"}}},"metadataOptions":{"description":"The metadata options for the instance. For more information, see Use instance\nmetadata to manage your EC2 instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)\nin the Amazon EC2 User Guide.","type":"object","properties":{"httpEndpoint":{"type":"string"},"httpProtocolIPv6":{"type":"string"},"httpPutResponseHopLimit":{"type":"integer","format":"int64"},"httpTokens":{"type":"string"},"instanceMetadataTags":{"type":"string"}}},"monitoring":{"description":"Describes the monitoring for the instance.","type":"object","properties":{"enabled":{"type":"boolean"}}},"networkInterfaces":{"type":"array","items":{"description":"The parameters for a network interface.","type":"object","properties":{"associateCarrierIPAddress":{"type":"boolean"},"associatePublicIPAddress":{"type":"boolean"},"deleteOnTermination":{"type":"boolean"},"description":{"type":"string"},"deviceIndex":{"type":"integer","format":"int64"},"groups":{"type":"array","items":{"type":"string"}},"interfaceType":{"type":"string"},"ipv4PrefixCount":{"type":"integer","format":"int64"},"ipv4Prefixes":{"type":"array","items":{"description":"Describes the IPv4 prefix option for a network interface.","type":"object","properties":{"ipv4Prefix":{"type":"string"}}}},"ipv6AddressCount":{"type":"integer","format":"int64"},"ipv6Addresses":{"type":"array","items":{"description":"Describes an IPv6 address.","type":"object","properties":{"ipv6Address":{"type":"string"}}}},"ipv6PrefixCount":{"type":"integer","format":"int64"},"ipv6Prefixes":{"type":"array","items":{"description":"Describes the IPv6 prefix option for a network interface.","type":"object","properties":{"ipv6Prefix":{"type":"string"}}}},"networkCardIndex":{"type":"integer","format":"int64"},"networkInterfaceID":{"type":"string"},"primaryIPv6":{"type":"boolean"},"privateIPAddress":{"type":"string"},"privateIPAddresses":{"type":"array","items":{"description":"Describes a secondary private IPv4 address for a network interface.","type":"object","properties":{"primary":{"type":"boolean"},"privateIPAddress":{"type":"string"}}}},"secondaryPrivateIPAddressCount":{"type":"integer","format":"int64"},"subnetID":{"type":"string"}}}},"placement":{"description":"Describes the placement of an instance.","type":"object","properties":{"affinity":{"type":"string"},"availabilityZone":{"type":"string"},"groupID":{"type":"string"},"groupName":{"type":"string"},"hostID":{"type":"string"},"hostResourceGroupARN":{"type":"string"},"partitionNumber":{"type":"integer","format":"int64"},"spreadDomain":{"type":"string"},"tenancy":{"type":"string"}}},"privateDNSNameOptions":{"description":"Describes the options for instance hostnames.","type":"object","properties":{"enableResourceNameDNSAAAARecord":{"type":"boolean"},"enableResourceNameDNSARecord":{"type":"boolean"},"hostnameType":{"type":"string"}}},"ramDiskID":{"type":"string"},"securityGroupIDs":{"type":"array","items":{"type":"string"}},"securityGroups":{"type":"array","items":{"type":"string"}},"userData":{"type":"string"}}},"defaultVersion":{"description":"The version number of the default version of the launch template.","type":"integer","format":"int64"},"name":{"description":"A name for the launch template.\n\nRegex Pattern: `^[a-zA-Z0-9\\(\\)\\.\\-/_]+$`","type":"string"},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"versionDescription":{"description":"A description for the first version of the launch template.","type":"string"}}},"status":{"description":"LaunchTemplateStatus defines the observed state of LaunchTemplate","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"createTime":{"description":"The time launch template was created.","type":"string","format":"date-time"},"createdBy":{"description":"The principal that created the launch template.","type":"string"},"id":{"description":"The ID of the launch template.","type":"string"},"latestVersion":{"description":"The version number of the latest version of the launch template.","type":"integer","format":"int64"},"operator":{"description":"The entity that manages the launch template.","type":"object","properties":{"managed":{"type":"boolean"},"principal":{"type":"string"}}}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"LaunchTemplate","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.LaunchTemplate"},"aws.k8s.services.ec2.v1alpha1.LaunchTemplateList":{"description":"LaunchTemplateList is a list of LaunchTemplate","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of launchtemplates. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.LaunchTemplate"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"LaunchTemplateList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.LaunchTemplateList"},"aws.k8s.services.ec2.v1alpha1.ManagedPrefixList":{"description":"ManagedPrefixList is the Schema for the ManagedPrefixLists API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ManagedPrefixListSpec defines the desired state of ManagedPrefixList.\n\nDescribes a managed prefix list.","type":"object","required":["addressFamily","maxEntries","name"],"properties":{"addressFamily":{"description":"The IP address type.\n\nValid Values: IPv4 | IPv6","type":"string"},"entries":{"type":"array","items":{"description":"An entry for a prefix list.","type":"object","properties":{"cidr":{"type":"string"},"description":{"type":"string"}}}},"maxEntries":{"description":"The maximum number of entries for the prefix list.","type":"integer","format":"int64"},"name":{"description":"A name for the prefix list.\n\nConstraints: Up to 255 characters in length. The name cannot start with com.amazonaws.","type":"string"},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"ManagedPrefixListStatus defines the observed state of ManagedPrefixList","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"id":{"description":"The ID of the prefix list.","type":"string"},"ownerID":{"description":"The ID of the owner of the prefix list.","type":"string"},"state":{"description":"The current state of the prefix list.","type":"string"},"stateMessage":{"description":"The state message.","type":"string"},"version":{"description":"The version of the prefix list.","type":"integer","format":"int64"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"ManagedPrefixList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.ManagedPrefixList"},"aws.k8s.services.ec2.v1alpha1.ManagedPrefixListList":{"description":"ManagedPrefixListList is a list of ManagedPrefixList","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of managedprefixlists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.ManagedPrefixList"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"ManagedPrefixListList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.ManagedPrefixListList"},"aws.k8s.services.ec2.v1alpha1.NATGateway":{"description":"NATGateway is the Schema for the NATGateways API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"NatGatewaySpec defines the desired state of NatGateway.\n\nDescribes a NAT gateway.","type":"object","properties":{"allocationID":{"description":"[Public NAT gateways only] The allocation ID of an Elastic IP address to\nassociate with the NAT gateway. You cannot specify an Elastic IP address\nwith a private NAT gateway. If the Elastic IP address is associated with\nanother resource, you must first disassociate it.","type":"string"},"allocationRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"availabilityMode":{"description":"Specifies whether to create a zonal (single-AZ) or regional (multi-AZ) NAT\ngateway. Defaults to zonal.\n\nA zonal NAT gateway is a NAT Gateway that provides redundancy and scalability\nwithin a single availability zone. A regional NAT gateway is a single NAT\nGateway that works across multiple availability zones (AZs) in your VPC,\nproviding redundancy, scalability and availability across all the AZs in\na Region.\n\nFor more information, see Regional NAT gateways for automatic multi-AZ expansion\n(https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateways-regional.html)\nin the Amazon VPC User Guide.","type":"string"},"availabilityZoneAddresses":{"description":"For regional NAT gateways only: Specifies which Availability Zones you want\nthe NAT gateway to support and the Elastic IP addresses (EIPs) to use in\neach AZ. The regional NAT gateway uses these EIPs to handle outbound NAT\ntraffic from their respective AZs. If not specified, the NAT gateway will\nautomatically expand to new AZs and associate EIPs upon detection of an elastic\nnetwork interface. If you specify this parameter, auto-expansion is disabled\nand you must manually manage AZ coverage.\n\nA regional NAT gateway is a single NAT Gateway that works across multiple\navailability zones (AZs) in your VPC, providing redundancy, scalability and\navailability across all the AZs in a Region.\n\nFor more information, see Regional NAT gateways for automatic multi-AZ expansion\n(https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateways-regional.html)\nin the Amazon VPC User Guide.","type":"array","items":{"description":"For regional NAT gateways only: The configuration specifying which Elastic\nIP address (EIP) to use for handling outbound NAT traffic from a specific\nAvailability Zone.\n\nA regional NAT gateway is a single NAT Gateway that works across multiple\navailability zones (AZs) in your VPC, providing redundancy, scalability and\navailability across all the AZs in a Region.\n\nFor more information, see Regional NAT gateways for automatic multi-AZ expansion\n(https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateways-regional.html)\nin the Amazon VPC User Guide.","type":"object","properties":{"allocationIDs":{"type":"array","items":{"type":"string"}},"availabilityZone":{"type":"string"},"availabilityZoneID":{"type":"string"}}}},"connectivityType":{"description":"Indicates whether the NAT gateway supports public or private connectivity.\nThe default is public connectivity.","type":"string"},"subnetID":{"description":"The ID of the subnet in which to create the NAT gateway.","type":"string"},"subnetRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"vpcID":{"description":"The ID of the VPC where you want to create a regional NAT gateway.","type":"string"},"vpcRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}},"status":{"description":"NATGatewayStatus defines the observed state of NATGateway","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"createTime":{"description":"The date and time the NAT gateway was created.","type":"string","format":"date-time"},"deleteTime":{"description":"The date and time the NAT gateway was deleted, if applicable.","type":"string","format":"date-time"},"failureCode":{"description":"If the NAT gateway could not be created, specifies the error code for the\nfailure. (InsufficientFreeAddressesInSubnet | Gateway.NotAttached | InvalidAllocationID.NotFound\n| Resource.AlreadyAssociated | InternalError | InvalidSubnetID.NotFound)","type":"string"},"failureMessage":{"description":"If the NAT gateway could not be created, specifies the error message for\nthe failure, that corresponds to the error code.\n\n   * For InsufficientFreeAddressesInSubnet: \"Subnet has insufficient free\n   addresses to create this NAT gateway\"\n\n   * For Gateway.NotAttached: \"Network vpc-xxxxxxxx has no Internet gateway\n   attached\"\n\n   * For InvalidAllocationID.NotFound: \"Elastic IP address eipalloc-xxxxxxxx\n   could not be associated with this NAT gateway\"\n\n   * For Resource.AlreadyAssociated: \"Elastic IP address eipalloc-xxxxxxxx\n   is already associated\"\n\n   * For InternalError: \"Network interface eni-xxxxxxxx, created and used\n   internally by this NAT gateway is in an invalid state. Please try again.\"\n\n   * For InvalidSubnetID.NotFound: \"The specified subnet subnet-xxxxxxxx\n   does not exist or could not be found.\"","type":"string"},"natGatewayAddresses":{"description":"Information about the IP addresses and network interface associated with\nthe NAT gateway.","type":"array","items":{"description":"Describes the IP addresses and network interface associated with a NAT gateway.","type":"object","properties":{"allocationID":{"type":"string"},"availabilityZone":{"type":"string"},"availabilityZoneID":{"type":"string"},"networkInterfaceID":{"type":"string"},"privateIP":{"type":"string"},"publicIP":{"type":"string"}}}},"natGatewayID":{"description":"The ID of the NAT gateway.","type":"string"},"provisionedBandwidth":{"description":"Reserved. If you need to sustain traffic greater than the documented limits\n(https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html#vpc-limits-gateways),\ncontact Amazon Web Services Support.","type":"object","properties":{"provisionTime":{"type":"string","format":"date-time"},"provisioned":{"type":"string"},"requestTime":{"type":"string","format":"date-time"},"requested":{"type":"string"},"status":{"type":"string"}}},"state":{"description":"The state of the NAT gateway.\n\n   * pending: The NAT gateway is being created and is not ready to process\n   traffic.\n\n   * failed: The NAT gateway could not be created. Check the failureCode\n   and failureMessage fields for the reason.\n\n   * available: The NAT gateway is able to process traffic. This status remains\n   until you delete the NAT gateway, and does not indicate the health of\n   the NAT gateway.\n\n   * deleting: The NAT gateway is in the process of being terminated and\n   may still be processing traffic.\n\n   * deleted: The NAT gateway has been terminated and is no longer processing\n   traffic.","type":"string"},"vpcID":{"description":"The ID of the VPC in which the NAT gateway is located.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"NATGateway","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.NATGateway"},"aws.k8s.services.ec2.v1alpha1.NATGatewayList":{"description":"NATGatewayList is a list of NATGateway","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of natgateways. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.NATGateway"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"NATGatewayList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.NATGatewayList"},"aws.k8s.services.ec2.v1alpha1.NetworkACL":{"description":"NetworkACL is the Schema for the NetworkACLS API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"NetworkAclSpec defines the desired state of NetworkAcl.\n\nDescribes a network ACL.","type":"object","properties":{"associations":{"type":"array","items":{"description":"Describes an association between a network ACL and a subnet.","type":"object","properties":{"networkACLAssociationID":{"type":"string"},"networkACLID":{"type":"string"},"subnetID":{"type":"string"},"subnetRef":{"description":"Reference field for SubnetID","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}}},"entries":{"type":"array","items":{"description":"Describes an entry in a network ACL.","type":"object","properties":{"cidrBlock":{"type":"string"},"egress":{"type":"boolean"},"icmpTypeCode":{"description":"Describes the ICMP type and code.","type":"object","properties":{"code":{"type":"integer","format":"int64"},"type_":{"type":"integer","format":"int64"}}},"ipv6CIDRBlock":{"type":"string"},"portRange":{"description":"Describes a range of ports.","type":"object","properties":{"from":{"type":"integer","format":"int64"},"to":{"type":"integer","format":"int64"}}},"protocol":{"type":"string"},"ruleAction":{"type":"string"},"ruleNumber":{"type":"integer","format":"int64"}}}},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"vpcID":{"description":"The ID of the VPC.","type":"string"},"vpcRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}},"status":{"description":"NetworkACLStatus defines the observed state of NetworkACL","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"id":{"description":"The ID of the network ACL.","type":"string"},"isDefault":{"description":"Indicates whether this is the default network ACL for the VPC.","type":"boolean"},"ownerID":{"description":"The ID of the Amazon Web Services account that owns the network ACL.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"NetworkACL","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.NetworkACL"},"aws.k8s.services.ec2.v1alpha1.NetworkACLList":{"description":"NetworkACLList is a list of NetworkACL","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of networkacls. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.NetworkACL"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"NetworkACLList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.NetworkACLList"},"aws.k8s.services.ec2.v1alpha1.RouteTable":{"description":"RouteTable is the Schema for the RouteTables API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"RouteTableSpec defines the desired state of RouteTable.\n\nDescribes a route table.","type":"object","properties":{"routes":{"type":"array","items":{"type":"object","properties":{"carrierGatewayID":{"type":"string"},"coreNetworkARN":{"type":"string"},"destinationCIDRBlock":{"type":"string"},"destinationIPv6CIDRBlock":{"type":"string"},"destinationPrefixListID":{"type":"string"},"egressOnlyInternetGatewayID":{"type":"string"},"gatewayID":{"type":"string"},"gatewayRef":{"description":"Reference field for GatewayID","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"instanceID":{"type":"string"},"localGatewayID":{"type":"string"},"natGatewayID":{"type":"string"},"natGatewayRef":{"description":"Reference field for NATGatewayID","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"networkInterfaceID":{"type":"string"},"transitGatewayID":{"type":"string"},"transitGatewayRef":{"description":"Reference field for TransitGatewayID","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"vpcEndpointID":{"type":"string"},"vpcEndpointRef":{"description":"Reference field for VPCEndpointID","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"vpcPeeringConnectionID":{"type":"string"},"vpcPeeringConnectionRef":{"description":"Reference field for VPCPeeringConnectionID","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}}},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"vpcID":{"description":"The ID of the VPC.","type":"string"},"vpcRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}},"status":{"description":"RouteTableStatus defines the observed state of RouteTable","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"associations":{"description":"The associations between the route table and your subnets or gateways.","type":"array","items":{"description":"Describes an association between a route table and a subnet or gateway.","type":"object","properties":{"associationState":{"description":"Describes the state of an association between a route table and a subnet\nor gateway.","type":"object","properties":{"state":{"type":"string"},"statusMessage":{"type":"string"}}},"gatewayID":{"type":"string"},"main":{"type":"boolean"},"routeTableAssociationID":{"type":"string"},"routeTableID":{"type":"string"},"subnetID":{"type":"string"}}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"ownerID":{"description":"The ID of the Amazon Web Services account that owns the route table.","type":"string"},"propagatingVGWs":{"description":"Any virtual private gateway (VGW) propagating routes.","type":"array","items":{"description":"Describes a virtual private gateway propagating route.","type":"object","properties":{"gatewayID":{"type":"string"}}}},"routeStatuses":{"description":"The routes in the route table.","type":"array","items":{"description":"Describes a route in a route table.","type":"object","properties":{"carrierGatewayID":{"type":"string"},"coreNetworkARN":{"type":"string"},"destinationCIDRBlock":{"type":"string"},"destinationIPv6CIDRBlock":{"type":"string"},"destinationPrefixListID":{"type":"string"},"egressOnlyInternetGatewayID":{"type":"string"},"gatewayID":{"type":"string"},"instanceID":{"type":"string"},"instanceOwnerID":{"type":"string"},"localGatewayID":{"type":"string"},"natGatewayID":{"type":"string"},"networkInterfaceID":{"type":"string"},"origin":{"type":"string"},"state":{"type":"string"},"transitGatewayID":{"type":"string"},"vpcPeeringConnectionID":{"type":"string"}}}},"routeTableID":{"description":"The ID of the route table.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"RouteTable","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.RouteTable"},"aws.k8s.services.ec2.v1alpha1.RouteTableList":{"description":"RouteTableList is a list of RouteTable","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of routetables. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.RouteTable"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"RouteTableList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.RouteTableList"},"aws.k8s.services.ec2.v1alpha1.SecurityGroup":{"description":"SecurityGroup is the Schema for the SecurityGroups API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"SecurityGroupSpec defines the desired state of SecurityGroup.\n\nDescribes a security group.","type":"object","required":["description","name"],"properties":{"description":{"description":"A description for the security group.\n\nConstraints: Up to 255 characters in length\n\nValid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*","type":"string"},"egressRules":{"type":"array","items":{"description":"Describes the permissions for a security group rule.","type":"object","properties":{"fromPort":{"type":"integer","format":"int64"},"ipProtocol":{"type":"string"},"ipRanges":{"type":"array","items":{"description":"Describes an IPv4 address range.","type":"object","properties":{"cidrIP":{"type":"string"},"description":{"type":"string"}}}},"ipv6Ranges":{"type":"array","items":{"description":"Describes an IPv6 address range.","type":"object","properties":{"cidrIPv6":{"type":"string"},"description":{"type":"string"}}}},"prefixListIDs":{"type":"array","items":{"description":"Describes a prefix list ID.","type":"object","properties":{"description":{"type":"string"},"prefixListID":{"type":"string"}}}},"toPort":{"type":"integer","format":"int64"},"userIDGroupPairs":{"type":"array","items":{"description":"Describes a security group and Amazon Web Services account ID pair.","type":"object","properties":{"description":{"type":"string"},"groupID":{"type":"string"},"groupName":{"type":"string"},"groupRef":{"description":"Reference field for GroupID","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"peeringStatus":{"type":"string"},"userID":{"type":"string"},"vpcID":{"type":"string"},"vpcPeeringConnectionID":{"type":"string"},"vpcRef":{"description":"Reference field for VPCID","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}}}}}},"ingressRules":{"type":"array","items":{"description":"Describes the permissions for a security group rule.","type":"object","properties":{"fromPort":{"type":"integer","format":"int64"},"ipProtocol":{"type":"string"},"ipRanges":{"type":"array","items":{"description":"Describes an IPv4 address range.","type":"object","properties":{"cidrIP":{"type":"string"},"description":{"type":"string"}}}},"ipv6Ranges":{"type":"array","items":{"description":"Describes an IPv6 address range.","type":"object","properties":{"cidrIPv6":{"type":"string"},"description":{"type":"string"}}}},"prefixListIDs":{"type":"array","items":{"description":"Describes a prefix list ID.","type":"object","properties":{"description":{"type":"string"},"prefixListID":{"type":"string"}}}},"toPort":{"type":"integer","format":"int64"},"userIDGroupPairs":{"type":"array","items":{"description":"Describes a security group and Amazon Web Services account ID pair.","type":"object","properties":{"description":{"type":"string"},"groupID":{"type":"string"},"groupName":{"type":"string"},"groupRef":{"description":"Reference field for GroupID","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"peeringStatus":{"type":"string"},"userID":{"type":"string"},"vpcID":{"type":"string"},"vpcPeeringConnectionID":{"type":"string"},"vpcRef":{"description":"Reference field for VPCID","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}}}}}},"name":{"description":"The name of the security group. Names are case-insensitive and must be unique\nwithin the VPC.\n\nConstraints: Up to 255 characters in length. Can't start with sg-.\n\nValid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*","type":"string"},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"vpcID":{"description":"The ID of the VPC. Required for a nondefault VPC.","type":"string"},"vpcRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}},"status":{"description":"SecurityGroupStatus defines the observed state of SecurityGroup","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"id":{"description":"The ID of the security group.","type":"string"},"rules":{"description":"Information about security group rules.","type":"array","items":{"description":"Describes a security group rule.","type":"object","properties":{"cidrIPv4":{"type":"string"},"cidrIPv6":{"type":"string"},"description":{"type":"string"},"fromPort":{"type":"integer","format":"int64"},"ipProtocol":{"type":"string"},"isEgress":{"type":"boolean"},"prefixListID":{"type":"string"},"securityGroupRuleID":{"type":"string"},"tags":{"type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"toPort":{"type":"integer","format":"int64"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"SecurityGroup","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.SecurityGroup"},"aws.k8s.services.ec2.v1alpha1.SecurityGroupList":{"description":"SecurityGroupList is a list of SecurityGroup","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of securitygroups. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.SecurityGroup"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"SecurityGroupList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.SecurityGroupList"},"aws.k8s.services.ec2.v1alpha1.Subnet":{"description":"Subnet is the Schema for the Subnets API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"SubnetSpec defines the desired state of Subnet.\n\nDescribes a subnet.","type":"object","properties":{"assignIPv6AddressOnCreation":{"type":"boolean"},"availabilityZone":{"description":"The Availability Zone or Local Zone for the subnet.\n\nDefault: Amazon Web Services selects one for you. If you create more than\none subnet in your VPC, we do not necessarily select a different zone for\neach subnet.\n\nTo create a subnet in a Local Zone, set this value to the Local Zone ID,\nfor example us-west-2-lax-1a. For information about the Regions that support\nLocal Zones, see Available Local Zones (https://docs.aws.amazon.com/local-zones/latest/ug/available-local-zones.html).\n\nTo create a subnet in an Outpost, set this value to the Availability Zone\nfor the Outpost and specify the Outpost ARN.","type":"string"},"availabilityZoneID":{"description":"The AZ ID or the Local Zone ID of the subnet.","type":"string"},"cidrBlock":{"description":"The IPv4 network range for the subnet, in CIDR notation. For example, 10.0.0.0/24.\nWe modify the specified CIDR block to its canonical form; for example, if\nyou specify 100.68.0.18/18, we modify it to 100.68.0.0/18.\n\nThis parameter is not supported for an IPv6 only subnet.","type":"string"},"customerOwnedIPv4Pool":{"type":"string"},"enableDNS64":{"type":"boolean"},"enableResourceNameDNSAAAARecord":{"type":"boolean"},"enableResourceNameDNSARecord":{"type":"boolean"},"hostnameType":{"type":"string"},"ipv6CIDRBlock":{"description":"The IPv6 network range for the subnet, in CIDR notation. This parameter is\nrequired for an IPv6 only subnet.","type":"string"},"ipv6Native":{"description":"Indicates whether to create an IPv6 only subnet.","type":"boolean"},"mapPublicIPOnLaunch":{"type":"boolean"},"outpostARN":{"description":"The Amazon Resource Name (ARN) of the Outpost. If you specify an Outpost\nARN, you must also specify the Availability Zone of the Outpost subnet.","type":"string"},"routeTableRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}},"routeTables":{"type":"array","items":{"type":"string"}},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"vpcID":{"description":"The ID of the VPC.","type":"string"},"vpcRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}},"status":{"description":"SubnetStatus defines the observed state of Subnet","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"availableIPAddressCount":{"description":"The number of unused private IPv4 addresses in the subnet. The IPv4 addresses\nfor any stopped instances are considered unavailable.","type":"integer","format":"int64"},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"defaultForAZ":{"description":"Indicates whether this is the default subnet for the Availability Zone.","type":"boolean"},"enableLniAtDeviceIndex":{"description":"Indicates the device position for local network interfaces in this subnet.\nFor example, 1 indicates local network interfaces in this subnet are the\nsecondary network interface (eth1).","type":"integer","format":"int64"},"ipv6CIDRBlockAssociationSet":{"description":"Information about the IPv6 CIDR blocks associated with the subnet.","type":"array","items":{"description":"Describes an association between a subnet and an IPv6 CIDR block.","type":"object","properties":{"associationID":{"type":"string"},"ipv6CIDRBlock":{"type":"string"},"ipv6CIDRBlockState":{"description":"Describes the state of a CIDR block.","type":"object","properties":{"state":{"type":"string"},"statusMessage":{"type":"string"}}}}}},"mapCustomerOwnedIPOnLaunch":{"description":"Indicates whether a network interface created in this subnet (including a\nnetwork interface created by RunInstances) receives a customer-owned IPv4\naddress.","type":"boolean"},"ownerID":{"description":"The ID of the Amazon Web Services account that owns the subnet.","type":"string"},"privateDNSNameOptionsOnLaunch":{"description":"The type of hostnames to assign to instances in the subnet at launch. An\ninstance hostname is based on the IPv4 address or ID of the instance.","type":"object","properties":{"enableResourceNameDNSAAAARecord":{"type":"boolean"},"enableResourceNameDNSARecord":{"type":"boolean"},"hostnameType":{"type":"string"}}},"state":{"description":"The current state of the subnet.\n\n   * failed: The underlying infrastructure to support the subnet failed to\n   provision as expected.\n\n   * failed-insufficient-capacity: The underlying infrastructure to support\n   the subnet failed to provision due to a shortage of EC2 instance capacity.","type":"string"},"subnetID":{"description":"The ID of the subnet.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"Subnet","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.Subnet"},"aws.k8s.services.ec2.v1alpha1.SubnetList":{"description":"SubnetList is a list of Subnet","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of subnets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.Subnet"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"SubnetList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.SubnetList"},"aws.k8s.services.ec2.v1alpha1.TransitGateway":{"description":"TransitGateway is the Schema for the TransitGateways API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"TransitGatewaySpec defines the desired state of TransitGateway.\n\nDescribes a transit gateway.","type":"object","properties":{"description":{"description":"A description of the transit gateway.","type":"string"},"options":{"description":"The transit gateway options.","type":"object","properties":{"amazonSideASN":{"type":"integer","format":"int64"},"autoAcceptSharedAttachments":{"type":"string"},"defaultRouteTableAssociation":{"type":"string"},"defaultRouteTablePropagation":{"type":"string"},"dnsSupport":{"type":"string"},"multicastSupport":{"type":"string"},"transitGatewayCIDRBlocks":{"type":"array","items":{"type":"string"}},"vpnECMPSupport":{"type":"string"}}},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"TransitGatewayStatus defines the observed state of TransitGateway","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"creationTime":{"description":"The creation time.","type":"string","format":"date-time"},"ownerID":{"description":"The ID of the Amazon Web Services account that owns the transit gateway.","type":"string"},"state":{"description":"The state of the transit gateway.","type":"string"},"transitGatewayID":{"description":"The ID of the transit gateway.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"TransitGateway","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.TransitGateway"},"aws.k8s.services.ec2.v1alpha1.TransitGatewayList":{"description":"TransitGatewayList is a list of TransitGateway","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of transitgateways. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.TransitGateway"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"TransitGatewayList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.TransitGatewayList"},"aws.k8s.services.ec2.v1alpha1.TransitGatewayVPCAttachment":{"description":"TransitGatewayVPCAttachment is the Schema for the TransitGatewayVPCAttachments API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"TransitGatewayVpcAttachmentSpec defines the desired state of TransitGatewayVpcAttachment.\n\nDescribes a VPC attachment.","type":"object","properties":{"options":{"description":"The VPC attachment options.","type":"object","properties":{"applianceModeSupport":{"type":"string"},"dnsSupport":{"type":"string"},"ipv6Support":{"type":"string"},"securityGroupReferencingSupport":{"type":"string"}}},"subnetIDs":{"description":"The IDs of one or more subnets. You can specify only one subnet per Availability\nZone. You must specify at least one subnet, but we recommend that you specify\ntwo subnets for better availability. The transit gateway uses one IP address\nfrom each specified subnet.","type":"array","items":{"type":"string"}},"subnetRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"transitGatewayID":{"description":"The ID of the transit gateway.","type":"string"},"transitGatewayRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"vpcID":{"description":"The ID of the VPC.","type":"string"},"vpcRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}},"status":{"description":"TransitGatewayVPCAttachmentStatus defines the observed state of TransitGatewayVPCAttachment","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"creationTime":{"description":"The creation time.","type":"string","format":"date-time"},"id":{"description":"The ID of the attachment.","type":"string"},"state":{"description":"The state of the VPC attachment. Note that the initiating state has been\ndeprecated.","type":"string"},"vpcOwnerID":{"description":"The ID of the Amazon Web Services account that owns the VPC.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"TransitGatewayVPCAttachment","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.TransitGatewayVPCAttachment"},"aws.k8s.services.ec2.v1alpha1.TransitGatewayVPCAttachmentList":{"description":"TransitGatewayVPCAttachmentList is a list of TransitGatewayVPCAttachment","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of transitgatewayvpcattachments. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.TransitGatewayVPCAttachment"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"TransitGatewayVPCAttachmentList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.TransitGatewayVPCAttachmentList"},"aws.k8s.services.ec2.v1alpha1.VPC":{"description":"VPC is the Schema for the VPCS API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"VpcSpec defines the desired state of Vpc.\n\nDescribes a VPC.","type":"object","required":["cidrBlocks"],"properties":{"amazonProvidedIPv6CIDRBlock":{"description":"Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for\nthe VPC. You cannot specify the range of IP addresses, or the size of the\nCIDR block.","type":"boolean"},"cidrBlocks":{"type":"array","items":{"type":"string"}},"disallowSecurityGroupDefaultRules":{"type":"boolean"},"enableDNSHostnames":{"description":"The attribute value. The valid values are true or false.","type":"boolean"},"enableDNSSupport":{"description":"The attribute value. The valid values are true or false.","type":"boolean"},"instanceTenancy":{"description":"The tenancy options for instances launched into the VPC. For default, instances\nare launched with shared tenancy by default. You can launch instances with\nany tenancy into a shared tenancy VPC. For dedicated, instances are launched\nas dedicated tenancy instances by default. You can only launch instances\nwith a tenancy of dedicated or host into a dedicated tenancy VPC.\n\nImportant: The host value cannot be used with this parameter. Use the default\nor dedicated values only.\n\nDefault: default","type":"string"},"ipv4IPAMPoolID":{"description":"The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR.\nFor more information, see What is IPAM? (https://docs.aws.amazon.com/vpc/latest/ipam/what-is-it-ipam.html)\nin the Amazon VPC IPAM User Guide.","type":"string"},"ipv4NetmaskLength":{"description":"The netmask length of the IPv4 CIDR you want to allocate to this VPC from\nan Amazon VPC IP Address Manager (IPAM) pool. For more information about\nIPAM, see What is IPAM? (https://docs.aws.amazon.com/vpc/latest/ipam/what-is-it-ipam.html)\nin the Amazon VPC IPAM User Guide.","type":"integer","format":"int64"},"ipv6CIDRBlock":{"description":"The IPv6 CIDR block from the IPv6 address pool. You must also specify Ipv6Pool\nin the request.\n\nTo let Amazon choose the IPv6 CIDR block for you, omit this parameter.","type":"string"},"ipv6CIDRBlockNetworkBorderGroup":{"description":"The name of the location from which we advertise the IPV6 CIDR block. Use\nthis parameter to limit the address to this location.\n\nYou must set AmazonProvidedIpv6CidrBlock to true to use this parameter.","type":"string"},"ipv6IPAMPoolID":{"description":"The ID of an IPv6 IPAM pool which will be used to allocate this VPC an IPv6\nCIDR. IPAM is a VPC feature that you can use to automate your IP address\nmanagement workflows including assigning, tracking, troubleshooting, and\nauditing IP addresses across Amazon Web Services Regions and accounts throughout\nyour Amazon Web Services Organization. For more information, see What is\nIPAM? (https://docs.aws.amazon.com/vpc/latest/ipam/what-is-it-ipam.html)\nin the Amazon VPC IPAM User Guide.","type":"string"},"ipv6NetmaskLength":{"description":"The netmask length of the IPv6 CIDR you want to allocate to this VPC from\nan Amazon VPC IP Address Manager (IPAM) pool. For more information about\nIPAM, see What is IPAM? (https://docs.aws.amazon.com/vpc/latest/ipam/what-is-it-ipam.html)\nin the Amazon VPC IPAM User Guide.","type":"integer","format":"int64"},"ipv6Pool":{"description":"The ID of an IPv6 address pool from which to allocate the IPv6 CIDR block.","type":"string"},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"VPCStatus defines the observed state of VPC","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"cidrBlockAssociationSet":{"description":"Information about the IPv4 CIDR blocks associated with the VPC.","type":"array","items":{"description":"Describes an IPv4 CIDR block associated with a VPC.","type":"object","properties":{"associationID":{"type":"string"},"cidrBlock":{"type":"string"},"cidrBlockState":{"description":"Describes the state of a CIDR block.","type":"object","properties":{"state":{"type":"string"},"statusMessage":{"type":"string"}}}}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"dhcpOptionsID":{"description":"The ID of the set of DHCP options you've associated with the VPC.","type":"string"},"ipv6CIDRBlockAssociationSet":{"description":"Information about the IPv6 CIDR blocks associated with the VPC.","type":"array","items":{"description":"Describes an IPv6 CIDR block associated with a VPC.","type":"object","properties":{"associationID":{"type":"string"},"ipv6CIDRBlock":{"type":"string"},"ipv6CIDRBlockState":{"description":"Describes the state of a CIDR block.","type":"object","properties":{"state":{"type":"string"},"statusMessage":{"type":"string"}}},"ipv6Pool":{"type":"string"},"networkBorderGroup":{"type":"string"}}}},"isDefault":{"description":"Indicates whether the VPC is the default VPC.","type":"boolean"},"ownerID":{"description":"The ID of the Amazon Web Services account that owns the VPC.","type":"string"},"securityGroupDefaultRulesExist":{"type":"boolean"},"state":{"description":"The current state of the VPC.","type":"string"},"vpcID":{"description":"The ID of the VPC.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"VPC","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.VPC"},"aws.k8s.services.ec2.v1alpha1.VPCEndpoint":{"description":"VPCEndpoint is the Schema for the VPCEndpoints API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"VpcEndpointSpec defines the desired state of VpcEndpoint.\n\nDescribes a VPC endpoint.","type":"object","properties":{"dnsOptions":{"description":"The DNS options for the endpoint.","type":"object","properties":{"dnsRecordIPType":{"type":"string"}}},"ipAddressType":{"description":"The IP address type for the endpoint.","type":"string"},"policyDocument":{"description":"(Interface and gateway endpoints) A policy to attach to the endpoint that\ncontrols access to the service. The policy must be in valid JSON format.\nIf this parameter is not specified, we attach a default policy that allows\nfull access to the service.","type":"string"},"privateDNSEnabled":{"description":"(Interface endpoint) Indicates whether to associate a private hosted zone\nwith the specified VPC. The private hosted zone contains a record set for\nthe default public DNS name for the service for the Region (for example,\nkinesis.us-east-1.amazonaws.com), which resolves to the private IP addresses\nof the endpoint network interfaces in the VPC. This enables you to make requests\nto the default public DNS name for the service instead of the public DNS\nnames that are automatically generated by the VPC endpoint service.\n\nTo use a private hosted zone, you must set the following VPC attributes to\ntrue: enableDnsHostnames and enableDnsSupport. Use ModifyVpcAttribute to\nset the VPC attributes.","type":"boolean"},"routeTableIDs":{"description":"(Gateway endpoint) The route table IDs.","type":"array","items":{"type":"string"}},"routeTableRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}},"securityGroupIDs":{"description":"(Interface endpoint) The IDs of the security groups to associate with the\nendpoint network interfaces. If this parameter is not specified, we use the\ndefault security group for the VPC.","type":"array","items":{"type":"string"}},"securityGroupRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}},"serviceName":{"description":"The name of the endpoint service.","type":"string"},"serviceNetworkARN":{"description":"The Amazon Resource Name (ARN) of a service network that will be associated\nwith the VPC endpoint of type service-network.","type":"string","x-kubernetes-validations":[{"message":"Value is immutable once set","rule":"self == oldSelf"}]},"serviceRegion":{"description":"The Region where the service is hosted. The default is the current Region.","type":"string","x-kubernetes-validations":[{"message":"Value is immutable once set","rule":"self == oldSelf"}]},"subnetIDs":{"description":"(Interface and Gateway Load Balancer endpoints) The IDs of the subnets in\nwhich to create endpoint network interfaces. For a Gateway Load Balancer\nendpoint, you can specify only one subnet.","type":"array","items":{"type":"string"}},"subnetRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"vpcEndpointType":{"description":"The type of endpoint.\n\nDefault: Gateway","type":"string"},"vpcID":{"description":"The ID of the VPC.","type":"string"},"vpcRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}},"status":{"description":"VPCEndpointStatus defines the observed state of VPCEndpoint","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"creationTimestamp":{"description":"The date and time that the endpoint was created.","type":"string","format":"date-time"},"dnsEntries":{"description":"(Interface endpoint) The DNS entries for the endpoint.","type":"array","items":{"description":"Describes a DNS entry.","type":"object","properties":{"dnsName":{"type":"string"},"hostedZoneID":{"type":"string"}}}},"groups":{"description":"(Interface endpoint) Information about the security groups that are associated\nwith the network interface.","type":"array","items":{"description":"Describes a security group.","type":"object","properties":{"groupID":{"type":"string"},"groupName":{"type":"string"}}}},"lastError":{"description":"The last error that occurred for endpoint.","type":"object","properties":{"code":{"type":"string"},"message":{"type":"string"}}},"networkInterfaceIDs":{"description":"(Interface endpoint) The network interfaces for the endpoint.","type":"array","items":{"type":"string"}},"ownerID":{"description":"The ID of the Amazon Web Services account that owns the endpoint.","type":"string"},"requesterManaged":{"description":"Indicates whether the endpoint is being managed by its service.","type":"boolean"},"state":{"description":"The state of the endpoint.","type":"string"},"vpcEndpointID":{"description":"The ID of the endpoint.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"VPCEndpoint","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.VPCEndpoint"},"aws.k8s.services.ec2.v1alpha1.VPCEndpointList":{"description":"VPCEndpointList is a list of VPCEndpoint","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of vpcendpoints. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.VPCEndpoint"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"VPCEndpointList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.VPCEndpointList"},"aws.k8s.services.ec2.v1alpha1.VPCEndpointServiceConfiguration":{"description":"VPCEndpointServiceConfiguration is the Schema for the VPCEndpointServiceConfigurations API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"VpcEndpointServiceConfigurationSpec defines the desired state of VpcEndpointServiceConfiguration.","type":"object","properties":{"acceptanceRequired":{"description":"Indicates whether requests from service consumers to create an endpoint to\nyour service must be accepted manually.","type":"boolean"},"allowedPrincipals":{"description":"The Amazon Resource Names (ARN) of the principals. Permissions are granted\nto the principals in this list. To grant permissions to all principals, specify\nan asterisk (*).","type":"array","items":{"type":"string"}},"gatewayLoadBalancerARNs":{"description":"The Amazon Resource Names (ARNs) of the Gateway Load Balancers.","type":"array","items":{"type":"string"}},"networkLoadBalancerARNs":{"description":"The Amazon Resource Names (ARNs) of the Network Load Balancers.","type":"array","items":{"type":"string"}},"privateDNSName":{"description":"(Interface endpoint configuration) The private DNS name to assign to the\nVPC endpoint service.","type":"string"},"supportedIPAddressTypes":{"description":"The supported IP address types. The possible values are ipv4 and ipv6.","type":"array","items":{"type":"string"}},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"VPCEndpointServiceConfigurationStatus defines the observed state of VPCEndpointServiceConfiguration","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"availabilityZones":{"description":"The Availability Zones in which the service is available.\n\nEither AvailabilityZone or AvailabilityZoneId can be specified, but not both","type":"array","items":{"type":"string"}},"baseEndpointDNSNames":{"description":"The DNS names for the service.","type":"array","items":{"type":"string"}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"managesVPCEndpoints":{"description":"Indicates whether the service manages its VPC endpoints. Management of the\nservice VPC endpoints using the VPC endpoint API is restricted.","type":"boolean"},"payerResponsibility":{"description":"The payer responsibility.","type":"string"},"privateDNSNameConfiguration":{"description":"Information about the endpoint service private DNS name configuration.","type":"object","properties":{"name":{"type":"string"},"state":{"type":"string"},"type_":{"type":"string"},"value":{"type":"string"}}},"serviceID":{"description":"The ID of the service.","type":"string"},"serviceName":{"description":"The name of the service.","type":"string"},"serviceState":{"description":"The service state.","type":"string"},"serviceType":{"description":"The type of service.","type":"array","items":{"description":"Describes the type of service for a VPC endpoint.","type":"object","properties":{"serviceType":{"type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"VPCEndpointServiceConfiguration","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.VPCEndpointServiceConfiguration"},"aws.k8s.services.ec2.v1alpha1.VPCEndpointServiceConfigurationList":{"description":"VPCEndpointServiceConfigurationList is a list of VPCEndpointServiceConfiguration","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of vpcendpointserviceconfigurations. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.VPCEndpointServiceConfiguration"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"VPCEndpointServiceConfigurationList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.VPCEndpointServiceConfigurationList"},"aws.k8s.services.ec2.v1alpha1.VPCList":{"description":"VPCList is a list of VPC","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of vpcs. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.VPC"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"VPCList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.VPCList"},"aws.k8s.services.ec2.v1alpha1.VPCPeeringConnection":{"description":"VPCPeeringConnection is the Schema for the VPCPeeringConnections API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"VpcPeeringConnectionSpec defines the desired state of VpcPeeringConnection.\n\nDescribes a VPC peering connection.","type":"object","properties":{"acceptRequest":{"type":"boolean"},"accepterPeeringConnectionOptions":{"description":"The VPC peering connection options for the accepter VPC.","type":"object","properties":{"allowDNSResolutionFromRemoteVPC":{"type":"boolean"},"allowEgressFromLocalClassicLinkToRemoteVPC":{"type":"boolean"},"allowEgressFromLocalVPCToRemoteClassicLink":{"type":"boolean"}}},"peerOwnerID":{"description":"The Amazon Web Services account ID of the owner of the accepter VPC.\n\nDefault: Your Amazon Web Services account ID","type":"string"},"peerRegion":{"description":"The Region code for the accepter VPC, if the accepter VPC is located in a\nRegion other than the Region in which you make the request.\n\nDefault: The Region in which you make the request.","type":"string"},"peerVPCID":{"description":"The ID of the VPC with which you are creating the VPC peering connection.\nYou must specify this parameter in the request.","type":"string"},"peerVPCRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"requesterPeeringConnectionOptions":{"description":"The VPC peering connection options for the requester VPC.","type":"object","properties":{"allowDNSResolutionFromRemoteVPC":{"type":"boolean"},"allowEgressFromLocalClassicLinkToRemoteVPC":{"type":"boolean"},"allowEgressFromLocalVPCToRemoteClassicLink":{"type":"boolean"}}},"tags":{"description":"The tags. The value parameter is required, but if you don't want the tag\nto have a value, specify the parameter with no value, and we set the value\nto an empty string.","type":"array","items":{"description":"Describes a tag.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"vpcID":{"description":"The ID of the requester VPC. You must specify this parameter in the request.","type":"string"},"vpcRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}},"status":{"description":"VPCPeeringConnectionStatus defines the observed state of VPCPeeringConnection","type":"object","properties":{"accepterVPCInfo":{"description":"Information about the accepter VPC. CIDR block information is only returned\nwhen describing an active VPC peering connection.","type":"object","properties":{"cidrBlock":{"type":"string"},"cidrBlockSet":{"type":"array","items":{"description":"Describes an IPv4 CIDR block.","type":"object","properties":{"cidrBlock":{"type":"string"}}}},"ipv6CIDRBlockSet":{"type":"array","items":{"description":"Describes an IPv6 CIDR block.","type":"object","properties":{"ipv6CIDRBlock":{"type":"string"}}}},"ownerID":{"type":"string"},"peeringOptions":{"description":"Describes the VPC peering connection options.","type":"object","properties":{"allowDNSResolutionFromRemoteVPC":{"type":"boolean"},"allowEgressFromLocalClassicLinkToRemoteVPC":{"type":"boolean"},"allowEgressFromLocalVPCToRemoteClassicLink":{"type":"boolean"}}},"region":{"type":"string"},"vpcID":{"type":"string"}}},"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"expirationTime":{"description":"The time that an unaccepted VPC peering connection will expire.","type":"string","format":"date-time"},"requesterVPCInfo":{"description":"Information about the requester VPC. CIDR block information is only returned\nwhen describing an active VPC peering connection.","type":"object","properties":{"cidrBlock":{"type":"string"},"cidrBlockSet":{"type":"array","items":{"description":"Describes an IPv4 CIDR block.","type":"object","properties":{"cidrBlock":{"type":"string"}}}},"ipv6CIDRBlockSet":{"type":"array","items":{"description":"Describes an IPv6 CIDR block.","type":"object","properties":{"ipv6CIDRBlock":{"type":"string"}}}},"ownerID":{"type":"string"},"peeringOptions":{"description":"Describes the VPC peering connection options.","type":"object","properties":{"allowDNSResolutionFromRemoteVPC":{"type":"boolean"},"allowEgressFromLocalClassicLinkToRemoteVPC":{"type":"boolean"},"allowEgressFromLocalVPCToRemoteClassicLink":{"type":"boolean"}}},"region":{"type":"string"},"vpcID":{"type":"string"}}},"status":{"description":"The status of the VPC peering connection.","type":"object","properties":{"code":{"type":"string"},"message":{"type":"string"}}},"vpcPeeringConnectionID":{"description":"The ID of the VPC peering connection.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"VPCPeeringConnection","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.VPCPeeringConnection"},"aws.k8s.services.ec2.v1alpha1.VPCPeeringConnectionList":{"description":"VPCPeeringConnectionList is a list of VPCPeeringConnection","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of vpcpeeringconnections. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.ec2.v1alpha1.VPCPeeringConnection"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"ec2.services.k8s.aws","kind":"VPCPeeringConnectionList","version":"v1alpha1"}],"title":"aws.k8s.services.ec2.v1alpha1.VPCPeeringConnectionList"},"aws.k8s.services.elasticache.v1alpha1.CacheCluster":{"description":"CacheCluster is the Schema for the CacheClusters API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"CacheClusterSpec defines the desired state of CacheCluster.\n\nContains all of the attributes of a specific cluster.","type":"object","required":["cacheClusterID"],"properties":{"authToken":{"description":"Reserved parameter. The password used to access a password protected server.\n\nPassword constraints:\n\n  - Must be only printable ASCII characters.\n\n  - Must be at least 16 characters and no more than 128 characters in length.","type":"object","required":["key"],"properties":{"key":{"description":"Key is the key within the secret","type":"string"},"name":{"description":"name is unique within a namespace to reference a secret resource.","type":"string"},"namespace":{"description":"namespace defines the space within which the secret name must be unique.","type":"string"}},"x-kubernetes-map-type":"atomic"},"autoMinorVersionUpgrade":{"description":"If you are running Valkey 7.2 and above or Redis OSS engine version 6.0 and\nabove, set this parameter to yes to opt-in to the next auto minor version\nupgrade campaign. This parameter is disabled for previous versions.","type":"boolean"},"azMode":{"description":"Specifies whether the nodes in this Memcached cluster are created in a single\nAvailability Zone or created across multiple Availability Zones in the cluster's\nregion.\n\nThis parameter is only supported for Memcached clusters.\n\nIf the AZMode and PreferredAvailabilityZones are not specified, ElastiCache\nassumes single-az mode.","type":"string"},"cacheClusterID":{"description":"The node group (shard) identifier. This parameter is stored as a lowercase\nstring.\n\nConstraints:\n\n  - A name must contain from 1 to 50 alphanumeric characters or hyphens.\n\n  - The first character must be a letter.\n\n  - A name cannot end with a hyphen or contain two consecutive hyphens.","type":"string"},"cacheNodeType":{"description":"The compute and memory capacity of the nodes in the node group (shard).\n\nThe following node types are supported by ElastiCache. Generally speaking,\nthe current generation types provide more memory and computational power\nat lower cost when compared to their equivalent previous generation counterparts.\n\n  - General purpose: Current generation: M7g node types: cache.m7g.large,\n    cache.m7g.xlarge, cache.m7g.2xlarge, cache.m7g.4xlarge, cache.m7g.8xlarge,\n    cache.m7g.12xlarge, cache.m7g.16xlarge For region availability, see Supported\n    Node Types (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/CacheNodes.SupportedTypes.html#CacheNodes.SupportedTypesByRegion)\n    M6g node types (available only for Redis OSS engine version 5.0.6 onward\n    and for Memcached engine version 1.5.16 onward): cache.m6g.large, cache.m6g.xlarge,\n    cache.m6g.2xlarge, cache.m6g.4xlarge, cache.m6g.8xlarge, cache.m6g.12xlarge,\n    cache.m6g.16xlarge M5 node types: cache.m5.large, cache.m5.xlarge, cache.m5.2xlarge,\n    cache.m5.4xlarge, cache.m5.12xlarge, cache.m5.24xlarge M4 node types:\n    cache.m4.large, cache.m4.xlarge, cache.m4.2xlarge, cache.m4.4xlarge, cache.m4.10xlarge\n    T4g node types (available only for Redis OSS engine version 5.0.6 onward\n    and Memcached engine version 1.5.16 onward): cache.t4g.micro, cache.t4g.small,\n    cache.t4g.medium T3 node types: cache.t3.micro, cache.t3.small, cache.t3.medium\n    T2 node types: cache.t2.micro, cache.t2.small, cache.t2.medium Previous\n    generation: (not recommended. Existing clusters are still supported but\n    creation of new clusters is not supported for these types.) T1 node types:\n    cache.t1.micro M1 node types: cache.m1.small, cache.m1.medium, cache.m1.large,\n    cache.m1.xlarge M3 node types: cache.m3.medium, cache.m3.large, cache.m3.xlarge,\n    cache.m3.2xlarge\n\n  - Compute optimized: Previous generation: (not recommended. Existing clusters\n    are still supported but creation of new clusters is not supported for\n    these types.) C1 node types: cache.c1.xlarge\n\n  - Memory optimized: Current generation: R7g node types: cache.r7g.large,\n    cache.r7g.xlarge, cache.r7g.2xlarge, cache.r7g.4xlarge, cache.r7g.8xlarge,\n    cache.r7g.12xlarge, cache.r7g.16xlarge For region availability, see Supported\n    Node Types (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/CacheNodes.SupportedTypes.html#CacheNodes.SupportedTypesByRegion)\n    R6g node types (available only for Redis OSS engine version 5.0.6 onward\n    and for Memcached engine version 1.5.16 onward): cache.r6g.large, cache.r6g.xlarge,\n    cache.r6g.2xlarge, cache.r6g.4xlarge, cache.r6g.8xlarge, cache.r6g.12xlarge,\n    cache.r6g.16xlarge R5 node types: cache.r5.large, cache.r5.xlarge, cache.r5.2xlarge,\n    cache.r5.4xlarge, cache.r5.12xlarge, cache.r5.24xlarge R4 node types:\n    cache.r4.large, cache.r4.xlarge, cache.r4.2xlarge, cache.r4.4xlarge, cache.r4.8xlarge,\n    cache.r4.16xlarge Previous generation: (not recommended. Existing clusters\n    are still supported but creation of new clusters is not supported for\n    these types.) M2 node types: cache.m2.xlarge, cache.m2.2xlarge, cache.m2.4xlarge\n    R3 node types: cache.r3.large, cache.r3.xlarge, cache.r3.2xlarge, cache.r3.4xlarge,\n    cache.r3.8xlarge\n\nAdditional node type info\n\n  - All current generation instance types are created in Amazon VPC by default.\n\n  - Valkey or Redis OSS append-only files (AOF) are not supported for T1\n    or T2 instances.\n\n  - Valkey or Redis OSS Multi-AZ with automatic failover is not supported\n    on T1 instances.\n\n  - The configuration variables appendonly and appendfsync are not supported\n    on Valkey, or on Redis OSS version 2.8.22 and later.","type":"string"},"cacheParameterGroupName":{"description":"The name of the parameter group to associate with this cluster. If this argument\nis omitted, the default parameter group for the specified engine is used.\nYou cannot use any parameter group which has cluster-enabled='yes' when creating\na cluster.","type":"string","x-kubernetes-validations":[{"message":"Value is immutable once set","rule":"self == oldSelf"}]},"cacheParameterGroupRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"cacheSecurityGroupNames":{"description":"A list of security group names to associate with this cluster.\n\nUse this parameter only when you are creating a cluster outside of an Amazon\nVirtual Private Cloud (Amazon VPC).","type":"array","items":{"type":"string"}},"cacheSubnetGroupName":{"description":"The name of the subnet group to be used for the cluster.\n\nUse this parameter only when you are creating a cluster in an Amazon Virtual\nPrivate Cloud (Amazon VPC).\n\nIf you're going to launch your cluster in an Amazon VPC, you need to create\na subnet group before you start creating a cluster. For more information,\nsee Subnets and Subnet Groups (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/SubnetGroups.html).","type":"string"},"cacheSubnetGroupRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"engine":{"description":"The name of the cache engine to be used for this cluster.\n\nValid values for this parameter are: memcached | redis","type":"string"},"engineVersion":{"description":"The version number of the cache engine to be used for this cluster. To view\nthe supported cache engine versions, use the DescribeCacheEngineVersions\noperation.\n\nImportant: You can upgrade to a newer engine version (see Selecting a Cache\nEngine and Version (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/SelectEngine.html#VersionManagement)),\nbut you cannot downgrade to an earlier engine version. If you want to use\nan earlier engine version, you must delete the existing cluster or replication\ngroup and create it anew with the earlier engine version.","type":"string"},"ipDiscovery":{"description":"The network type you choose when modifying a cluster, either ipv4 | ipv6.\nIPv6 is supported for workloads using Valkey 7.2 and above, Redis OSS engine\nversion 6.2 to 7.1 and Memcached engine version 1.6.6 and above on all instances\nbuilt on the Nitro system (http://aws.amazon.com/ec2/nitro/).","type":"string"},"logDeliveryConfigurations":{"description":"Specifies the destination, format and type of the logs.","type":"array","items":{"description":"Specifies the destination, format and type of the logs.","type":"object","properties":{"destinationDetails":{"description":"Configuration details of either a CloudWatch Logs destination or Kinesis\nData Firehose destination.","type":"object","properties":{"cloudWatchLogsDetails":{"description":"The configuration details of the CloudWatch Logs destination.","type":"object","properties":{"logGroup":{"type":"string"}}},"kinesisFirehoseDetails":{"description":"The configuration details of the Kinesis Data Firehose destination.","type":"object","properties":{"deliveryStream":{"type":"string"}}}}},"destinationType":{"type":"string"},"enabled":{"type":"boolean"},"logFormat":{"type":"string"},"logType":{"type":"string"}}}},"networkType":{"description":"Must be either ipv4 | ipv6 | dual_stack. IPv6 is supported for workloads\nusing Valkey 7.2 and above, Redis OSS engine version 6.2 to 7.1 and Memcached\nengine version 1.6.6 and above on all instances built on the Nitro system\n(http://aws.amazon.com/ec2/nitro/).","type":"string"},"notificationTopicARN":{"description":"The Amazon Resource Name (ARN) of the Amazon Simple Notification Service\n(SNS) topic to which notifications are sent.\n\nThe Amazon SNS topic owner must be the same as the cluster owner.","type":"string"},"notificationTopicRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"numCacheNodes":{"description":"The initial number of cache nodes that the cluster has.\n\nFor clusters running Valkey or Redis OSS, this value must be 1. For clusters\nrunning Memcached, this value must be between 1 and 40.\n\nIf you need more than 40 nodes for your Memcached cluster, please fill out\nthe ElastiCache Limit Increase Request form at http://aws.amazon.com/contact-us/elasticache-node-limit-request/\n(http://aws.amazon.com/contact-us/elasticache-node-limit-request/).","type":"integer","format":"int64"},"outpostMode":{"description":"Specifies whether the nodes in the cluster are created in a single outpost\nor across multiple outposts.","type":"string"},"port":{"description":"The port number on which each of the cache nodes accepts connections.","type":"integer","format":"int64"},"preferredAvailabilityZone":{"description":"The EC2 Availability Zone in which the cluster is created.\n\nAll nodes belonging to this cluster are placed in the preferred Availability\nZone. If you want to create your nodes across multiple Availability Zones,\nuse PreferredAvailabilityZones.\n\nDefault: System chosen Availability Zone.","type":"string"},"preferredAvailabilityZones":{"description":"A list of the Availability Zones in which cache nodes are created. The order\nof the zones in the list is not important.\n\nThis option is only supported on Memcached.\n\nIf you are creating your cluster in an Amazon VPC (recommended) you can only\nlocate nodes in Availability Zones that are associated with the subnets in\nthe selected subnet group.\n\nThe number of Availability Zones listed must equal the value of NumCacheNodes.\n\nIf you want all the nodes in the same Availability Zone, use PreferredAvailabilityZone\ninstead, or repeat the Availability Zone multiple times in the list.\n\nDefault: System chosen Availability Zones.","type":"array","items":{"type":"string"}},"preferredMaintenanceWindow":{"description":"Specifies the weekly time range during which maintenance on the cluster is\nperformed. It is specified as a range in the format ddd:hh24:mi-ddd:hh24:mi\n(24H Clock UTC). The minimum maintenance window is a 60 minute period.","type":"string"},"preferredOutpostARN":{"description":"The outpost ARN in which the cache cluster is created.","type":"string"},"preferredOutpostARNs":{"description":"The outpost ARNs in which the cache cluster is created.","type":"array","items":{"type":"string"}},"replicationGroupID":{"description":"The ID of the replication group to which this cluster should belong. If this\nparameter is specified, the cluster is added to the specified replication\ngroup as a read replica; otherwise, the cluster is a standalone primary that\nis not part of any replication group.\n\nIf the specified replication group is Multi-AZ enabled and the Availability\nZone is not specified, the cluster is created in Availability Zones that\nprovide the best spread of read replicas across Availability Zones.\n\nThis parameter is only valid if the Engine parameter is redis.","type":"string","x-kubernetes-validations":[{"message":"Value is immutable once set","rule":"self == oldSelf"}]},"replicationGroupRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"securityGroupIDs":{"description":"One or more VPC security groups associated with the cluster.\n\nUse this parameter only when you are creating a cluster in an Amazon Virtual\nPrivate Cloud (Amazon VPC).","type":"array","items":{"type":"string"}},"securityGroupRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}},"snapshotARNs":{"description":"A single-element string list containing an Amazon Resource Name (ARN) that\nuniquely identifies a Valkey or Redis OSS RDB snapshot file stored in Amazon\nS3. The snapshot file is used to populate the node group (shard). The Amazon\nS3 object name in the ARN cannot contain any commas.\n\nThis parameter is only valid if the Engine parameter is redis.\n\nExample of an Amazon S3 ARN: arn:aws:s3:::my_bucket/snapshot1.rdb","type":"array","items":{"type":"string"}},"snapshotName":{"description":"The name of a Valkey or Redis OSS snapshot from which to restore data into\nthe new node group (shard). The snapshot status changes to restoring while\nthe new node group (shard) is being created.\n\nThis parameter is only valid if the Engine parameter is redis.","type":"string","x-kubernetes-validations":[{"message":"Value is immutable once set","rule":"self == oldSelf"}]},"snapshotRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"snapshotRetentionLimit":{"description":"The number of days for which ElastiCache retains automatic snapshots before\ndeleting them. For example, if you set SnapshotRetentionLimit to 5, a snapshot\ntaken today is retained for 5 days before being deleted.\n\nThis parameter is only valid if the Engine parameter is redis.\n\nDefault: 0 (i.e., automatic backups are disabled for this cache cluster).","type":"integer","format":"int64"},"snapshotWindow":{"description":"The daily time range (in UTC) during which ElastiCache begins taking a daily\nsnapshot of your node group (shard).\n\nExample: 05:00-09:00\n\nIf you do not specify this parameter, ElastiCache automatically chooses an\nappropriate time range.\n\nThis parameter is only valid if the Engine parameter is redis.","type":"string"},"tags":{"description":"A list of tags to be added to this resource.","type":"array","items":{"description":"A tag that can be added to an ElastiCache cluster or replication group. Tags\nare composed of a Key/Value pair. You can use tags to categorize and track\nall your ElastiCache resources, with the exception of global replication\ngroup. When you add or remove tags on replication groups, those actions will\nbe replicated to all nodes in the replication group. A tag with a null Value\nis permitted.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"transitEncryptionEnabled":{"description":"A flag that enables in-transit encryption when set to true.","type":"boolean"}}},"status":{"description":"CacheClusterStatus defines the observed state of CacheCluster","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"atRestEncryptionEnabled":{"description":"A flag that enables encryption at-rest when set to true.\n\nYou cannot modify the value of AtRestEncryptionEnabled after the cluster\nis created. To enable at-rest encryption on a cluster you must set AtRestEncryptionEnabled\nto true when you create a cluster.\n\nRequired: Only available when creating a replication group in an Amazon VPC\nusing Redis OSS version 3.2.6, 4.x or later.\n\nDefault: false","type":"boolean"},"authTokenEnabled":{"description":"A flag that enables using an AuthToken (password) when issuing Valkey or\nRedis OSS commands.\n\nDefault: false","type":"boolean"},"authTokenLastModifiedDate":{"description":"The date the auth token was last modified","type":"string","format":"date-time"},"cacheClusterCreateTime":{"description":"The date and time when the cluster was created.","type":"string","format":"date-time"},"cacheClusterStatus":{"description":"The current state of this cluster, one of the following values: available,\ncreating, deleted, deleting, incompatible-network, modifying, rebooting cluster\nnodes, restore-failed, or snapshotting.","type":"string"},"cacheNodes":{"description":"A list of cache nodes that are members of the cluster.","type":"array","items":{"description":"Represents an individual cache node within a cluster. Each cache node runs\nits own instance of the cluster's protocol-compliant caching software - either\nMemcached, Valkey or Redis OSS.\n\nThe following node types are supported by ElastiCache. Generally speaking,\nthe current generation types provide more memory and computational power\nat lower cost when compared to their equivalent previous generation counterparts.\n\n  - General purpose: Current generation: M7g node types: cache.m7g.large,\n    cache.m7g.xlarge, cache.m7g.2xlarge, cache.m7g.4xlarge, cache.m7g.8xlarge,\n    cache.m7g.12xlarge, cache.m7g.16xlarge For region availability, see Supported\n    Node Types (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/CacheNodes.SupportedTypes.html#CacheNodes.SupportedTypesByRegion)\n    M6g node types (available only for Redis OSS engine version 5.0.6 onward\n    and for Memcached engine version 1.5.16 onward): cache.m6g.large, cache.m6g.xlarge,\n    cache.m6g.2xlarge, cache.m6g.4xlarge, cache.m6g.8xlarge, cache.m6g.12xlarge,\n    cache.m6g.16xlarge M5 node types: cache.m5.large, cache.m5.xlarge, cache.m5.2xlarge,\n    cache.m5.4xlarge, cache.m5.12xlarge, cache.m5.24xlarge M4 node types:\n    cache.m4.large, cache.m4.xlarge, cache.m4.2xlarge, cache.m4.4xlarge, cache.m4.10xlarge\n    T4g node types (available only for Redis OSS engine version 5.0.6 onward\n    and Memcached engine version 1.5.16 onward): cache.t4g.micro, cache.t4g.small,\n    cache.t4g.medium T3 node types: cache.t3.micro, cache.t3.small, cache.t3.medium\n    T2 node types: cache.t2.micro, cache.t2.small, cache.t2.medium Previous\n    generation: (not recommended. Existing clusters are still supported but\n    creation of new clusters is not supported for these types.) T1 node types:\n    cache.t1.micro M1 node types: cache.m1.small, cache.m1.medium, cache.m1.large,\n    cache.m1.xlarge M3 node types: cache.m3.medium, cache.m3.large, cache.m3.xlarge,\n    cache.m3.2xlarge\n\n  - Compute optimized: Previous generation: (not recommended. Existing clusters\n    are still supported but creation of new clusters is not supported for\n    these types.) C1 node types: cache.c1.xlarge\n\n  - Memory optimized: Current generation: R7g node types: cache.r7g.large,\n    cache.r7g.xlarge, cache.r7g.2xlarge, cache.r7g.4xlarge, cache.r7g.8xlarge,\n    cache.r7g.12xlarge, cache.r7g.16xlarge For region availability, see Supported\n    Node Types (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/CacheNodes.SupportedTypes.html#CacheNodes.SupportedTypesByRegion)\n    R6g node types (available only for Redis OSS engine version 5.0.6 onward\n    and for Memcached engine version 1.5.16 onward): cache.r6g.large, cache.r6g.xlarge,\n    cache.r6g.2xlarge, cache.r6g.4xlarge, cache.r6g.8xlarge, cache.r6g.12xlarge,\n    cache.r6g.16xlarge R5 node types: cache.r5.large, cache.r5.xlarge, cache.r5.2xlarge,\n    cache.r5.4xlarge, cache.r5.12xlarge, cache.r5.24xlarge R4 node types:\n    cache.r4.large, cache.r4.xlarge, cache.r4.2xlarge, cache.r4.4xlarge, cache.r4.8xlarge,\n    cache.r4.16xlarge Previous generation: (not recommended. Existing clusters\n    are still supported but creation of new clusters is not supported for\n    these types.) M2 node types: cache.m2.xlarge, cache.m2.2xlarge, cache.m2.4xlarge\n    R3 node types: cache.r3.large, cache.r3.xlarge, cache.r3.2xlarge, cache.r3.4xlarge,\n    cache.r3.8xlarge\n\nAdditional node type info\n\n  - All current generation instance types are created in Amazon VPC by default.\n\n  - Valkey or Redis OSS append-only files (AOF) are not supported for T1\n    or T2 instances.\n\n  - Valkey or Redis OSS Multi-AZ with automatic failover is not supported\n    on T1 instances.\n\n  - The configuration variables appendonly and appendfsync are not supported\n    on Valkey, or on Redis OSS version 2.8.22 and later.","type":"object","properties":{"cacheNodeCreateTime":{"type":"string","format":"date-time"},"cacheNodeID":{"type":"string"},"cacheNodeStatus":{"type":"string"},"customerAvailabilityZone":{"type":"string"},"customerOutpostARN":{"type":"string"},"endpoint":{"description":"Represents the information required for client programs to connect to a cache\nnode. This value is read-only.","type":"object","properties":{"address":{"type":"string"},"port":{"type":"integer","format":"int64"}}},"parameterGroupStatus":{"type":"string"},"sourceCacheNodeID":{"type":"string"}}}},"cacheParameterGroup":{"description":"Status of the cache parameter group.","type":"object","properties":{"cacheNodeIDsToReboot":{"type":"array","items":{"type":"string"}},"cacheParameterGroupName":{"type":"string"},"parameterApplyStatus":{"type":"string"}}},"cacheSecurityGroups":{"description":"A list of cache security group elements, composed of name and status sub-elements.","type":"array","items":{"description":"Represents a cluster's status within a particular cache security group.","type":"object","properties":{"cacheSecurityGroupName":{"type":"string"},"status":{"type":"string"}}}},"clientDownloadLandingPage":{"description":"The URL of the web page where you can download the latest ElastiCache client\nlibrary.","type":"string"},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"configurationEndpoint":{"description":"Represents a Memcached cluster endpoint which can be used by an application\nto connect to any node in the cluster. The configuration endpoint will always\nhave .cfg in it.\n\nExample: mem-3.9dvc4r.cfg.usw2.cache.amazonaws.com:11211","type":"object","properties":{"address":{"type":"string"},"port":{"type":"integer","format":"int64"}}},"notificationConfiguration":{"description":"Describes a notification topic and its status. Notification topics are used\nfor publishing ElastiCache events to subscribers using Amazon Simple Notification\nService (SNS).","type":"object","properties":{"topicARN":{"type":"string"},"topicStatus":{"type":"string"}}},"pendingModifiedValues":{"description":"A group of settings that are applied to the cluster in the future, or that\nare currently being applied.","type":"object","properties":{"authTokenStatus":{"type":"string"},"cacheNodeIDsToRemove":{"type":"array","items":{"type":"string"}},"cacheNodeType":{"type":"string"},"engineVersion":{"type":"string"},"numCacheNodes":{"type":"integer","format":"int64"},"transitEncryptionEnabled":{"type":"boolean"},"transitEncryptionMode":{"type":"string"}}},"replicationGroupLogDeliveryEnabled":{"description":"A boolean value indicating whether log delivery is enabled for the replication\ngroup.","type":"boolean"},"securityGroups":{"description":"A list of VPC Security Groups associated with the cluster.","type":"array","items":{"description":"Represents a single cache security group and its status.","type":"object","properties":{"securityGroupID":{"type":"string"},"status":{"type":"string"}}}},"transitEncryptionMode":{"description":"A setting that allows you to migrate your clients to use in-transit encryption,\nwith no downtime.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"CacheCluster","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.CacheCluster"},"aws.k8s.services.elasticache.v1alpha1.CacheClusterList":{"description":"CacheClusterList is a list of CacheCluster","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of cacheclusters. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.elasticache.v1alpha1.CacheCluster"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"CacheClusterList","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.CacheClusterList"},"aws.k8s.services.elasticache.v1alpha1.CacheParameterGroup":{"description":"CacheParameterGroup is the Schema for the CacheParameterGroups API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"CacheParameterGroupSpec defines the desired state of CacheParameterGroup.\n\nRepresents the output of a CreateCacheParameterGroup operation.","type":"object","required":["cacheParameterGroupFamily","cacheParameterGroupName","description"],"properties":{"cacheParameterGroupFamily":{"description":"The name of the cache parameter group family that the cache parameter group\ncan be used with.\n\nValid values are: valkey8 | valkey7 | memcached1.4 | memcached1.5 | memcached1.6\n| redis2.6 | redis2.8 |redis3.2 | redis4.0 | redis5.0 | redis6.x | redis7","type":"string"},"cacheParameterGroupName":{"description":"A user-specified name for the cache parameter group.","type":"string"},"description":{"description":"A user-specified description for the cache parameter group.","type":"string"},"parameterNameValues":{"description":"An array of parameter names and values for the parameter update. You must\nsupply at least one parameter name and value; subsequent arguments are optional.\nA maximum of 20 parameters may be modified per request.","type":"array","items":{"description":"Describes a name-value pair that is used to update the value of a parameter.","type":"object","properties":{"parameterName":{"type":"string"},"parameterValue":{"type":"string"}}}},"tags":{"description":"A list of tags to be added to this resource. A tag is a key-value pair. A\ntag key must be accompanied by a tag value, although null is accepted.","type":"array","items":{"description":"A tag that can be added to an ElastiCache cluster or replication group. Tags\nare composed of a Key/Value pair. You can use tags to categorize and track\nall your ElastiCache resources, with the exception of global replication\ngroup. When you add or remove tags on replication groups, those actions will\nbe replicated to all nodes in the replication group. A tag with a null Value\nis permitted.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"CacheParameterGroupStatus defines the observed state of CacheParameterGroup","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"events":{"description":"A list of events. Each element in the list contains detailed information\nabout one event.","type":"array","items":{"description":"Represents a single occurrence of something interesting within the system.\nSome examples of events are creating a cluster, adding or removing a cache\nnode, or rebooting a node.","type":"object","properties":{"date":{"type":"string","format":"date-time"},"message":{"type":"string"},"sourceIdentifier":{"type":"string"},"sourceType":{"type":"string"}}}},"isGlobal":{"description":"Indicates whether the parameter group is associated with a Global datastore","type":"boolean"},"parameters":{"description":"A list of Parameter instances.","type":"array","items":{"description":"Describes an individual setting that controls some aspect of ElastiCache\nbehavior.","type":"object","properties":{"allowedValues":{"type":"string"},"changeType":{"type":"string"},"dataType":{"type":"string"},"description":{"type":"string"},"isModifiable":{"type":"boolean"},"minimumEngineVersion":{"type":"string"},"parameterName":{"type":"string"},"parameterValue":{"type":"string"},"source":{"type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"CacheParameterGroup","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.CacheParameterGroup"},"aws.k8s.services.elasticache.v1alpha1.CacheParameterGroupList":{"description":"CacheParameterGroupList is a list of CacheParameterGroup","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of cacheparametergroups. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.elasticache.v1alpha1.CacheParameterGroup"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"CacheParameterGroupList","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.CacheParameterGroupList"},"aws.k8s.services.elasticache.v1alpha1.CacheSubnetGroup":{"description":"CacheSubnetGroup is the Schema for the CacheSubnetGroups API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"CacheSubnetGroupSpec defines the desired state of CacheSubnetGroup.\n\nRepresents the output of one of the following operations:\n\n  - CreateCacheSubnetGroup\n\n  - ModifyCacheSubnetGroup","type":"object","required":["cacheSubnetGroupDescription","cacheSubnetGroupName"],"properties":{"cacheSubnetGroupDescription":{"description":"A description for the cache subnet group.","type":"string"},"cacheSubnetGroupName":{"description":"A name for the cache subnet group. This value is stored as a lowercase string.\n\nConstraints: Must contain no more than 255 alphanumeric characters or hyphens.\n\nExample: mysubnetgroup","type":"string"},"subnetIDs":{"description":"A list of VPC subnet IDs for the cache subnet group.","type":"array","items":{"type":"string"}},"subnetRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}},"tags":{"description":"A list of tags to be added to this resource. A tag is a key-value pair. A\ntag key must be accompanied by a tag value, although null is accepted.","type":"array","items":{"description":"A tag that can be added to an ElastiCache cluster or replication group. Tags\nare composed of a Key/Value pair. You can use tags to categorize and track\nall your ElastiCache resources, with the exception of global replication\ngroup. When you add or remove tags on replication groups, those actions will\nbe replicated to all nodes in the replication group. A tag with a null Value\nis permitted.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"CacheSubnetGroupStatus defines the observed state of CacheSubnetGroup","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"events":{"description":"A list of events. Each element in the list contains detailed information\nabout one event.","type":"array","items":{"description":"Represents a single occurrence of something interesting within the system.\nSome examples of events are creating a cluster, adding or removing a cache\nnode, or rebooting a node.","type":"object","properties":{"date":{"type":"string","format":"date-time"},"message":{"type":"string"},"sourceIdentifier":{"type":"string"},"sourceType":{"type":"string"}}}},"subnets":{"description":"A list of subnets associated with the cache subnet group.","type":"array","items":{"description":"Represents the subnet associated with a cluster. This parameter refers to\nsubnets defined in Amazon Virtual Private Cloud (Amazon VPC) and used with\nElastiCache.","type":"object","properties":{"subnetAvailabilityZone":{"description":"Describes an Availability Zone in which the cluster is launched.","type":"object","properties":{"name":{"type":"string"}}},"subnetIdentifier":{"type":"string"},"subnetOutpost":{"description":"The ID of the outpost subnet.","type":"object","properties":{"subnetOutpostARN":{"type":"string"}}}}}},"vpcID":{"description":"The Amazon Virtual Private Cloud identifier (VPC ID) of the cache subnet\ngroup.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"CacheSubnetGroup","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.CacheSubnetGroup"},"aws.k8s.services.elasticache.v1alpha1.CacheSubnetGroupList":{"description":"CacheSubnetGroupList is a list of CacheSubnetGroup","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of cachesubnetgroups. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.elasticache.v1alpha1.CacheSubnetGroup"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"CacheSubnetGroupList","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.CacheSubnetGroupList"},"aws.k8s.services.elasticache.v1alpha1.ReplicationGroup":{"description":"ReplicationGroup is the Schema for the ReplicationGroups API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ReplicationGroupSpec defines the desired state of ReplicationGroup.\n\nContains all of the attributes of a specific Valkey or Redis OSS replication\ngroup.","type":"object","required":["description","replicationGroupID"],"properties":{"atRestEncryptionEnabled":{"description":"A flag that enables encryption at rest when set to true.\n\nYou cannot modify the value of AtRestEncryptionEnabled after the replication\ngroup is created. To enable encryption at rest on a replication group you\nmust set AtRestEncryptionEnabled to true when you create the replication\ngroup.\n\nRequired: Only available when creating a replication group in an Amazon VPC\nusing Valkey 7.2 and later, Redis OSS version 3.2.6, or Redis OSS 4.x and\nlater.\n\nDefault: true when using Valkey, false when using Redis OSS","type":"boolean"},"authToken":{"description":"Reserved parameter. The password used to access a password protected server.\n\nAuthToken can be specified only on replication groups where TransitEncryptionEnabled\nis true.\n\nFor HIPAA compliance, you must specify TransitEncryptionEnabled as true,\nan AuthToken, and a CacheSubnetGroup.\n\nPassword constraints:\n\n  - Must be only printable ASCII characters.\n\n  - Must be at least 16 characters and no more than 128 characters in length.","type":"object","required":["key"],"properties":{"key":{"description":"Key is the key within the secret","type":"string"},"name":{"description":"name is unique within a namespace to reference a secret resource.","type":"string"},"namespace":{"description":"namespace defines the space within which the secret name must be unique.","type":"string"}},"x-kubernetes-map-type":"atomic"},"automaticFailoverEnabled":{"description":"Specifies whether a read-only replica is automatically promoted to read/write\nprimary if the existing primary fails.\n\nAutomaticFailoverEnabled must be enabled for Valkey or Redis OSS (cluster\nmode enabled) replication groups.\n\nDefault: false","type":"boolean"},"cacheNodeType":{"description":"The compute and memory capacity of the nodes in the node group (shard).\n\nThe following node types are supported by ElastiCache. Generally speaking,\nthe current generation types provide more memory and computational power\nat lower cost when compared to their equivalent previous generation counterparts.\n\n  - General purpose: Current generation: M7g node types: cache.m7g.large,\n    cache.m7g.xlarge, cache.m7g.2xlarge, cache.m7g.4xlarge, cache.m7g.8xlarge,\n    cache.m7g.12xlarge, cache.m7g.16xlarge For region availability, see Supported\n    Node Types (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/CacheNodes.SupportedTypes.html#CacheNodes.SupportedTypesByRegion)\n    M6g node types (available only for Redis OSS engine version 5.0.6 onward\n    and for Memcached engine version 1.5.16 onward): cache.m6g.large, cache.m6g.xlarge,\n    cache.m6g.2xlarge, cache.m6g.4xlarge, cache.m6g.8xlarge, cache.m6g.12xlarge,\n    cache.m6g.16xlarge M5 node types: cache.m5.large, cache.m5.xlarge, cache.m5.2xlarge,\n    cache.m5.4xlarge, cache.m5.12xlarge, cache.m5.24xlarge M4 node types:\n    cache.m4.large, cache.m4.xlarge, cache.m4.2xlarge, cache.m4.4xlarge, cache.m4.10xlarge\n    T4g node types (available only for Redis OSS engine version 5.0.6 onward\n    and Memcached engine version 1.5.16 onward): cache.t4g.micro, cache.t4g.small,\n    cache.t4g.medium T3 node types: cache.t3.micro, cache.t3.small, cache.t3.medium\n    T2 node types: cache.t2.micro, cache.t2.small, cache.t2.medium Previous\n    generation: (not recommended. Existing clusters are still supported but\n    creation of new clusters is not supported for these types.) T1 node types:\n    cache.t1.micro M1 node types: cache.m1.small, cache.m1.medium, cache.m1.large,\n    cache.m1.xlarge M3 node types: cache.m3.medium, cache.m3.large, cache.m3.xlarge,\n    cache.m3.2xlarge\n\n  - Compute optimized: Previous generation: (not recommended. Existing clusters\n    are still supported but creation of new clusters is not supported for\n    these types.) C1 node types: cache.c1.xlarge\n\n  - Memory optimized: Current generation: R7g node types: cache.r7g.large,\n    cache.r7g.xlarge, cache.r7g.2xlarge, cache.r7g.4xlarge, cache.r7g.8xlarge,\n    cache.r7g.12xlarge, cache.r7g.16xlarge For region availability, see Supported\n    Node Types (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/CacheNodes.SupportedTypes.html#CacheNodes.SupportedTypesByRegion)\n    R6g node types (available only for Redis OSS engine version 5.0.6 onward\n    and for Memcached engine version 1.5.16 onward): cache.r6g.large, cache.r6g.xlarge,\n    cache.r6g.2xlarge, cache.r6g.4xlarge, cache.r6g.8xlarge, cache.r6g.12xlarge,\n    cache.r6g.16xlarge R5 node types: cache.r5.large, cache.r5.xlarge, cache.r5.2xlarge,\n    cache.r5.4xlarge, cache.r5.12xlarge, cache.r5.24xlarge R4 node types:\n    cache.r4.large, cache.r4.xlarge, cache.r4.2xlarge, cache.r4.4xlarge, cache.r4.8xlarge,\n    cache.r4.16xlarge Previous generation: (not recommended. Existing clusters\n    are still supported but creation of new clusters is not supported for\n    these types.) M2 node types: cache.m2.xlarge, cache.m2.2xlarge, cache.m2.4xlarge\n    R3 node types: cache.r3.large, cache.r3.xlarge, cache.r3.2xlarge, cache.r3.4xlarge,\n    cache.r3.8xlarge\n\nAdditional node type info\n\n  - All current generation instance types are created in Amazon VPC by default.\n\n  - Valkey or Redis OSS append-only files (AOF) are not supported for T1\n    or T2 instances.\n\n  - Valkey or Redis OSS Multi-AZ with automatic failover is not supported\n    on T1 instances.\n\n  - The configuration variables appendonly and appendfsync are not supported\n    on Valkey, or on Redis OSS version 2.8.22 and later.","type":"string"},"cacheParameterGroupName":{"description":"The name of the parameter group to associate with this replication group.\nIf this argument is omitted, the default cache parameter group for the specified\nengine is used.\n\nIf you are running Valkey or Redis OSS version 3.2.4 or later, only one node\ngroup (shard), and want to use a default parameter group, we recommend that\nyou specify the parameter group by name.\n\n  - To create a Valkey or Redis OSS (cluster mode disabled) replication\n    group, use CacheParameterGroupName=default.redis3.2.\n\n  - To create a Valkey or Redis OSS (cluster mode enabled) replication group,\n    use CacheParameterGroupName=default.redis3.2.cluster.on.","type":"string"},"cacheParameterGroupRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"cacheSecurityGroupNames":{"description":"A list of cache security group names to associate with this replication group.","type":"array","items":{"type":"string"}},"cacheSubnetGroupName":{"description":"The name of the cache subnet group to be used for the replication group.\n\nIf you're going to launch your cluster in an Amazon VPC, you need to create\na subnet group before you start creating a cluster. For more information,\nsee Subnets and Subnet Groups (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/SubnetGroups.html).","type":"string"},"cacheSubnetGroupRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"dataTieringEnabled":{"description":"Enables data tiering. Data tiering is only supported for replication groups\nusing the r6gd node type. This parameter must be set to true when using r6gd\nnodes. For more information, see Data tiering (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/data-tiering.html).","type":"boolean"},"description":{"description":"A user-created description for the replication group.","type":"string"},"engine":{"description":"The name of the cache engine to be used for the clusters in this replication\ngroup. The value must be set to valkey or redis.","type":"string"},"engineVersion":{"description":"The version number of the cache engine to be used for the clusters in this\nreplication group. To view the supported cache engine versions, use the DescribeCacheEngineVersions\noperation.\n\nImportant: You can upgrade to a newer engine version (see Selecting a Cache\nEngine and Version (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/SelectEngine.html#VersionManagement))\nin the ElastiCache User Guide, but you cannot downgrade to an earlier engine\nversion. If you want to use an earlier engine version, you must delete the\nexisting cluster or replication group and create it anew with the earlier\nengine version.","type":"string"},"ipDiscovery":{"description":"The network type you choose when creating a replication group, either ipv4\n| ipv6. IPv6 is supported for workloads using Valkey 7.2 and above, Redis\nOSS engine version 6.2 to 7.1 or Memcached engine version 1.6.6 and above\non all instances built on the Nitro system (http://aws.amazon.com/ec2/nitro/).","type":"string"},"kmsKeyID":{"description":"The ID of the KMS key used to encrypt the disk in the cluster.","type":"string"},"logDeliveryConfigurations":{"description":"Specifies the destination, format and type of the logs.","type":"array","items":{"description":"Specifies the destination, format and type of the logs.","type":"object","properties":{"destinationDetails":{"description":"Configuration details of either a CloudWatch Logs destination or Kinesis\nData Firehose destination.","type":"object","properties":{"cloudWatchLogsDetails":{"description":"The configuration details of the CloudWatch Logs destination.","type":"object","properties":{"logGroup":{"type":"string"}}},"kinesisFirehoseDetails":{"description":"The configuration details of the Kinesis Data Firehose destination.","type":"object","properties":{"deliveryStream":{"type":"string"}}}}},"destinationType":{"type":"string"},"enabled":{"type":"boolean"},"logFormat":{"type":"string"},"logType":{"type":"string"}}}},"multiAZEnabled":{"description":"A flag indicating if you have Multi-AZ enabled to enhance fault tolerance.\nFor more information, see Minimizing Downtime: Multi-AZ (http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/AutoFailover.html).","type":"boolean"},"networkType":{"description":"Must be either ipv4 | ipv6 | dual_stack. IPv6 is supported for workloads\nusing Valkey 7.2 and above, Redis OSS engine version 6.2 to 7.1 and Memcached\nengine version 1.6.6 and above on all instances built on the Nitro system\n(http://aws.amazon.com/ec2/nitro/).","type":"string","x-kubernetes-validations":[{"message":"Value is immutable once set","rule":"self == oldSelf"}]},"nodeGroupConfiguration":{"description":"A list of node group (shard) configuration options. Each node group (shard)\nconfiguration has the following members: PrimaryAvailabilityZone, ReplicaAvailabilityZones,\nReplicaCount, and Slots.\n\nIf you're creating a Valkey or Redis OSS (cluster mode disabled) or a Valkey\nor Redis OSS (cluster mode enabled) replication group, you can use this parameter\nto individually configure each node group (shard), or you can omit this parameter.\nHowever, it is required when seeding a Valkey or Redis OSS (cluster mode\nenabled) cluster from a S3 rdb file. You must configure each node group (shard)\nusing this parameter because you must specify the slots for each node group.","type":"array","items":{"description":"Node group (shard) configuration options. Each node group (shard) configuration\nhas the following: Slots, PrimaryAvailabilityZone, ReplicaAvailabilityZones,\nReplicaCount.","type":"object","properties":{"nodeGroupID":{"type":"string"},"primaryAvailabilityZone":{"type":"string"},"primaryOutpostARN":{"type":"string"},"replicaAvailabilityZones":{"type":"array","items":{"type":"string"}},"replicaCount":{"type":"integer","format":"int64"},"replicaOutpostARNs":{"type":"array","items":{"type":"string"}},"slots":{"type":"string"}}}},"notificationTopicARN":{"description":"The Amazon Resource Name (ARN) of the Amazon Simple Notification Service\n(SNS) topic to which notifications are sent.\n\nThe Amazon SNS topic owner must be the same as the cluster owner.","type":"string"},"numNodeGroups":{"description":"An optional parameter that specifies the number of node groups (shards) for\nthis Valkey or Redis OSS (cluster mode enabled) replication group. For Valkey\nor Redis OSS (cluster mode disabled) either omit this parameter or set it\nto 1.\n\nDefault: 1","type":"integer","format":"int64"},"port":{"description":"The port number on which each member of the replication group accepts connections.","type":"integer","format":"int64"},"preferredCacheClusterAZs":{"description":"A list of EC2 Availability Zones in which the replication group's clusters\nare created. The order of the Availability Zones in the list is the order\nin which clusters are allocated. The primary cluster is created in the first\nAZ in the list.\n\nThis parameter is not used if there is more than one node group (shard).\nYou should use NodeGroupConfiguration instead.\n\nIf you are creating your replication group in an Amazon VPC (recommended),\nyou can only locate clusters in Availability Zones associated with the subnets\nin the selected subnet group.\n\nThe number of Availability Zones listed must equal the value of NumCacheClusters.\n\nDefault: system chosen Availability Zones.","type":"array","items":{"type":"string"}},"preferredMaintenanceWindow":{"description":"Specifies the weekly time range during which maintenance on the cluster is\nperformed. It is specified as a range in the format ddd:hh24:mi-ddd:hh24:mi\n(24H Clock UTC). The minimum maintenance window is a 60 minute period.\n\nValid values for ddd are:\n\n  - sun\n\n  - mon\n\n  - tue\n\n  - wed\n\n  - thu\n\n  - fri\n\n  - sat\n\nExample: sun:23:00-mon:01:30","type":"string"},"primaryClusterID":{"description":"The identifier of the cluster that serves as the primary for this replication\ngroup. This cluster must already exist and have a status of available.\n\nThis parameter is not required if NumCacheClusters, NumNodeGroups, or ReplicasPerNodeGroup\nis specified.","type":"string"},"replicasPerNodeGroup":{"description":"An optional parameter that specifies the number of replica nodes in each\nnode group (shard). Valid values are 0 to 5.","type":"integer","format":"int64"},"replicationGroupID":{"description":"The replication group identifier. This parameter is stored as a lowercase\nstring.\n\nConstraints:\n\n  - A name must contain from 1 to 40 alphanumeric characters or hyphens.\n\n  - The first character must be a letter.\n\n  - A name cannot end with a hyphen or contain two consecutive hyphens.","type":"string"},"securityGroupIDs":{"description":"One or more Amazon VPC security groups associated with this replication group.\n\nUse this parameter only when you are creating a replication group in an Amazon\nVirtual Private Cloud (Amazon VPC).","type":"array","items":{"type":"string"}},"securityGroupRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}},"snapshotARNs":{"description":"A list of Amazon Resource Names (ARN) that uniquely identify the Valkey or\nRedis OSS RDB snapshot files stored in Amazon S3. The snapshot files are\nused to populate the new replication group. The Amazon S3 object name in\nthe ARN cannot contain any commas. The new replication group will have the\nnumber of node groups (console: shards) specified by the parameter NumNodeGroups\nor the number of node groups configured by NodeGroupConfiguration regardless\nof the number of ARNs specified here.\n\nExample of an Amazon S3 ARN: arn:aws:s3:::my_bucket/snapshot1.rdb","type":"array","items":{"type":"string"}},"snapshotName":{"description":"The name of a snapshot from which to restore data into the new replication\ngroup. The snapshot status changes to restoring while the new replication\ngroup is being created.","type":"string"},"snapshotRetentionLimit":{"description":"The number of days for which ElastiCache retains automatic snapshots before\ndeleting them. For example, if you set SnapshotRetentionLimit to 5, a snapshot\nthat was taken today is retained for 5 days before being deleted.\n\nDefault: 0 (i.e., automatic backups are disabled for this cluster).","type":"integer","format":"int64"},"snapshotWindow":{"description":"The daily time range (in UTC) during which ElastiCache begins taking a daily\nsnapshot of your node group (shard).\n\nExample: 05:00-09:00\n\nIf you do not specify this parameter, ElastiCache automatically chooses an\nappropriate time range.","type":"string"},"tags":{"description":"A list of tags to be added to this resource. Tags are comma-separated key,value\npairs (e.g. Key=myKey, Value=myKeyValue. You can include multiple tags as\nshown following: Key=myKey, Value=myKeyValue Key=mySecondKey, Value=mySecondKeyValue.\nTags on replication groups will be replicated to all nodes.","type":"array","items":{"description":"A tag that can be added to an ElastiCache cluster or replication group. Tags\nare composed of a Key/Value pair. You can use tags to categorize and track\nall your ElastiCache resources, with the exception of global replication\ngroup. When you add or remove tags on replication groups, those actions will\nbe replicated to all nodes in the replication group. A tag with a null Value\nis permitted.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"transitEncryptionEnabled":{"description":"A flag that enables in-transit encryption when set to true.\n\nThis parameter is valid only if the Engine parameter is redis, the EngineVersion\nparameter is 3.2.6, 4.x or later, and the cluster is being created in an\nAmazon VPC.\n\nIf you enable in-transit encryption, you must also specify a value for CacheSubnetGroup.\n\nRequired: Only available when creating a replication group in an Amazon VPC\nusing Redis OSS version 3.2.6, 4.x or later.\n\nDefault: false\n\nFor HIPAA compliance, you must specify TransitEncryptionEnabled as true,\nan AuthToken, and a CacheSubnetGroup.","type":"boolean"},"userGroupIDs":{"description":"The user group to associate with the replication group.","type":"array","items":{"type":"string"}}}},"status":{"description":"ReplicationGroupStatus defines the observed state of ReplicationGroup","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"allowedScaleDownModifications":{"description":"A string list, each element of which specifies a cache node type which you\ncan use to scale your cluster or replication group. When scaling down a Valkey\nor Redis OSS cluster or replication group using ModifyCacheCluster or ModifyReplicationGroup,\nuse a value from this list for the CacheNodeType parameter.","type":"array","items":{"type":"string"}},"allowedScaleUpModifications":{"description":"A string list, each element of which specifies a cache node type which you\ncan use to scale your cluster or replication group.\n\nWhen scaling up a Valkey or Redis OSS cluster or replication group using\nModifyCacheCluster or ModifyReplicationGroup, use a value from this list\nfor the CacheNodeType parameter.","type":"array","items":{"type":"string"}},"authTokenEnabled":{"description":"A flag that enables using an AuthToken (password) when issuing Valkey or\nRedis OSS commands.\n\nDefault: false","type":"boolean"},"authTokenLastModifiedDate":{"description":"The date the auth token was last modified","type":"string","format":"date-time"},"autoMinorVersionUpgrade":{"description":"If you are running Valkey 7.2 and above, or Redis OSS engine version 6.0\nand above, set this parameter to yes if you want to opt-in to the next auto\nminor version upgrade campaign. This parameter is disabled for previous versions.","type":"boolean"},"automaticFailover":{"description":"Indicates the status of automatic failover for this Valkey or Redis OSS replication\ngroup.","type":"string"},"clusterEnabled":{"description":"A flag indicating whether or not this replication group is cluster enabled;\ni.e., whether its data can be partitioned across multiple shards (API/CLI:\nnode groups).\n\nValid values: true | false","type":"boolean"},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"configurationEndpoint":{"description":"The configuration endpoint for this replication group. Use the configuration\nendpoint to connect to this replication group.","type":"object","properties":{"address":{"type":"string"},"port":{"type":"integer","format":"int64"}}},"dataTiering":{"description":"Enables data tiering. Data tiering is only supported for replication groups\nusing the r6gd node type. This parameter must be set to true when using r6gd\nnodes. For more information, see Data tiering (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/data-tiering.html).","type":"string"},"events":{"description":"A list of events. Each element in the list contains detailed information\nabout one event.","type":"array","items":{"description":"Represents a single occurrence of something interesting within the system.\nSome examples of events are creating a cluster, adding or removing a cache\nnode, or rebooting a node.","type":"object","properties":{"date":{"type":"string","format":"date-time"},"message":{"type":"string"},"sourceIdentifier":{"type":"string"},"sourceType":{"type":"string"}}}},"globalReplicationGroupInfo":{"description":"The name of the Global datastore and role of this replication group in the\nGlobal datastore.","type":"object","properties":{"globalReplicationGroupID":{"type":"string"},"globalReplicationGroupMemberRole":{"type":"string"}}},"logDeliveryConfigurations":{"description":"Returns the destination, format and type of the logs.","type":"array","items":{"description":"Returns the destination, format and type of the logs.","type":"object","properties":{"destinationDetails":{"description":"Configuration details of either a CloudWatch Logs destination or Kinesis\nData Firehose destination.","type":"object","properties":{"cloudWatchLogsDetails":{"description":"The configuration details of the CloudWatch Logs destination.","type":"object","properties":{"logGroup":{"type":"string"}}},"kinesisFirehoseDetails":{"description":"The configuration details of the Kinesis Data Firehose destination.","type":"object","properties":{"deliveryStream":{"type":"string"}}}}},"destinationType":{"type":"string"},"logFormat":{"type":"string"},"logType":{"type":"string"},"message":{"type":"string"},"status":{"type":"string"}}}},"memberClusters":{"description":"The names of all the cache clusters that are part of this replication group.","type":"array","items":{"type":"string"}},"memberClustersOutpostARNs":{"description":"The outpost ARNs of the replication group's member clusters.","type":"array","items":{"type":"string"}},"multiAZ":{"description":"A flag indicating if you have Multi-AZ enabled to enhance fault tolerance.\nFor more information, see Minimizing Downtime: Multi-AZ (http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/AutoFailover.html)","type":"string"},"nodeGroups":{"description":"A list of node groups in this replication group. For Valkey or Redis OSS\n(cluster mode disabled) replication groups, this is a single-element list.\nFor Valkey or Redis OSS (cluster mode enabled) replication groups, the list\ncontains an entry for each node group (shard).","type":"array","items":{"description":"Represents a collection of cache nodes in a replication group. One node in\nthe node group is the read/write primary node. All the other nodes are read-only\nReplica nodes.","type":"object","properties":{"nodeGroupID":{"type":"string"},"nodeGroupMembers":{"type":"array","items":{"description":"Represents a single node within a node group (shard).","type":"object","properties":{"cacheClusterID":{"type":"string"},"cacheNodeID":{"type":"string"},"currentRole":{"type":"string"},"preferredAvailabilityZone":{"type":"string"},"preferredOutpostARN":{"type":"string"},"readEndpoint":{"description":"Represents the information required for client programs to connect to a cache\nnode. This value is read-only.","type":"object","properties":{"address":{"type":"string"},"port":{"type":"integer","format":"int64"}}}}}},"primaryEndpoint":{"description":"Represents the information required for client programs to connect to a cache\nnode. This value is read-only.","type":"object","properties":{"address":{"type":"string"},"port":{"type":"integer","format":"int64"}}},"readerEndpoint":{"description":"Represents the information required for client programs to connect to a cache\nnode. This value is read-only.","type":"object","properties":{"address":{"type":"string"},"port":{"type":"integer","format":"int64"}}},"slots":{"type":"string"},"status":{"type":"string"}}}},"pendingModifiedValues":{"description":"A group of settings to be applied to the replication group, either immediately\nor during the next maintenance window.","type":"object","properties":{"authTokenStatus":{"type":"string"},"automaticFailoverStatus":{"type":"string"},"logDeliveryConfigurations":{"type":"array","items":{"description":"The log delivery configurations being modified","type":"object","properties":{"destinationDetails":{"description":"Configuration details of either a CloudWatch Logs destination or Kinesis\nData Firehose destination.","type":"object","properties":{"cloudWatchLogsDetails":{"description":"The configuration details of the CloudWatch Logs destination.","type":"object","properties":{"logGroup":{"type":"string"}}},"kinesisFirehoseDetails":{"description":"The configuration details of the Kinesis Data Firehose destination.","type":"object","properties":{"deliveryStream":{"type":"string"}}}}},"destinationType":{"type":"string"},"logFormat":{"type":"string"},"logType":{"type":"string"}}}},"primaryClusterID":{"type":"string"},"resharding":{"description":"The status of an online resharding operation.","type":"object","properties":{"slotMigration":{"description":"Represents the progress of an online resharding operation.","type":"object","properties":{"progressPercentage":{"type":"number"}}}}},"userGroups":{"description":"The status of the user group update.","type":"object","properties":{"userGroupIDsToAdd":{"type":"array","items":{"type":"string"}},"userGroupIDsToRemove":{"type":"array","items":{"type":"string"}}}}}},"replicationGroupCreateTime":{"description":"The date and time when the cluster was created.","type":"string","format":"date-time"},"snapshottingClusterID":{"description":"The cluster ID that is used as the daily snapshot source for the replication\ngroup.","type":"string"},"status":{"description":"The current state of this replication group - creating, available, modifying,\ndeleting, create-failed, snapshotting.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"ReplicationGroup","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.ReplicationGroup"},"aws.k8s.services.elasticache.v1alpha1.ReplicationGroupList":{"description":"ReplicationGroupList is a list of ReplicationGroup","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of replicationgroups. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.elasticache.v1alpha1.ReplicationGroup"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"ReplicationGroupList","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.ReplicationGroupList"},"aws.k8s.services.elasticache.v1alpha1.ServerlessCache":{"description":"ServerlessCache is the Schema for the ServerlessCaches API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ServerlessCacheSpec defines the desired state of ServerlessCache.\n\nThe resource representing a serverless cache.","type":"object","required":["engine","serverlessCacheName"],"properties":{"cacheUsageLimits":{"description":"Sets the cache usage limits for storage and ElastiCache Processing Units\nfor the cache.","type":"object","properties":{"dataStorage":{"description":"The data storage limit.","type":"object","properties":{"maximum":{"type":"integer","format":"int64"},"minimum":{"type":"integer","format":"int64"},"unit":{"type":"string"}}},"eCPUPerSecond":{"description":"The configuration for the number of ElastiCache Processing Units (ECPU) the\ncache can consume per second.","type":"object","properties":{"maximum":{"type":"integer","format":"int64"},"minimum":{"type":"integer","format":"int64"}}}}},"dailySnapshotTime":{"description":"The daily time that snapshots will be created from the new serverless cache.\nBy default this number is populated with 0, i.e. no snapshots will be created\non an automatic daily basis. Available for Valkey, Redis OSS and Serverless\nMemcached only.","type":"string"},"description":{"description":"User-provided description for the serverless cache. The default is NULL,\ni.e. if no description is provided then an empty string will be returned.\nThe maximum length is 255 characters.","type":"string"},"engine":{"description":"The name of the cache engine to be used for creating the serverless cache.","type":"string"},"kmsKeyID":{"description":"ARN of the customer managed key for encrypting the data at rest. If no KMS\nkey is provided, a default service key is used.","type":"string"},"majorEngineVersion":{"description":"The version of the cache engine that will be used to create the serverless\ncache.","type":"string"},"securityGroupIDs":{"description":"A list of the one or more VPC security groups to be associated with the serverless\ncache. The security group will authorize traffic access for the VPC end-point\n(private-link). If no other information is given this will be the VPC’s\nDefault Security Group that is associated with the cluster VPC end-point.","type":"array","items":{"type":"string"}},"securityGroupRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}},"serverlessCacheName":{"description":"User-provided identifier for the serverless cache. This parameter is stored\nas a lowercase string.","type":"string"},"snapshotARNsToRestore":{"description":"The ARN(s) of the snapshot that the new serverless cache will be created\nfrom. Available for Valkey, Redis OSS and Serverless Memcached only.","type":"array","items":{"type":"string"}},"snapshotRetentionLimit":{"description":"The number of snapshots that will be retained for the serverless cache that\nis being created. As new snapshots beyond this limit are added, the oldest\nsnapshots will be deleted on a rolling basis. Available for Valkey, Redis\nOSS and Serverless Memcached only.","type":"integer","format":"int64"},"subnetIDs":{"description":"A list of the identifiers of the subnets where the VPC endpoint for the serverless\ncache will be deployed. All the subnetIds must belong to the same VPC.","type":"array","items":{"type":"string"}},"subnetRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}},"tags":{"description":"The list of tags (key, value) pairs to be added to the serverless cache resource.\nDefault is NULL.","type":"array","items":{"description":"A tag that can be added to an ElastiCache cluster or replication group. Tags\nare composed of a Key/Value pair. You can use tags to categorize and track\nall your ElastiCache resources, with the exception of global replication\ngroup. When you add or remove tags on replication groups, those actions will\nbe replicated to all nodes in the replication group. A tag with a null Value\nis permitted.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"userGroupID":{"description":"The identifier of the UserGroup to be associated with the serverless cache.\nAvailable for Valkey and Redis OSS only. Default is NULL.","type":"string"}}},"status":{"description":"ServerlessCacheStatus defines the observed state of ServerlessCache","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"createTime":{"description":"When the serverless cache was created.","type":"string","format":"date-time"},"endpoint":{"description":"Represents the information required for client programs to connect to a cache\nnode. This value is read-only.","type":"object","properties":{"address":{"type":"string"},"port":{"type":"integer","format":"int64"}}},"fullEngineVersion":{"description":"The name and version number of the engine the serverless cache is compatible\nwith.","type":"string"},"readerEndpoint":{"description":"Represents the information required for client programs to connect to a cache\nnode. This value is read-only.","type":"object","properties":{"address":{"type":"string"},"port":{"type":"integer","format":"int64"}}},"status":{"description":"The current status of the serverless cache. The allowed values are CREATING,\nAVAILABLE, DELETING, CREATE-FAILED and MODIFYING.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"ServerlessCache","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.ServerlessCache"},"aws.k8s.services.elasticache.v1alpha1.ServerlessCacheList":{"description":"ServerlessCacheList is a list of ServerlessCache","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of serverlesscaches. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.elasticache.v1alpha1.ServerlessCache"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"ServerlessCacheList","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.ServerlessCacheList"},"aws.k8s.services.elasticache.v1alpha1.ServerlessCacheSnapshot":{"description":"ServerlessCacheSnapshot is the Schema for the ServerlessCacheSnapshots API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ServerlessCacheSnapshotSpec defines the desired state of ServerlessCacheSnapshot.\n\nThe resource representing a serverless cache snapshot. Available for Valkey,\nRedis OSS and Serverless Memcached only.","type":"object","required":["serverlessCacheSnapshotName"],"properties":{"kmsKeyID":{"description":"The ID of the KMS key used to encrypt the snapshot. Available for Valkey,\nRedis OSS and Serverless Memcached only. Default: NULL","type":"string","x-kubernetes-validations":[{"message":"Value is immutable once set","rule":"self == oldSelf"}]},"kmsKeyRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"serverlessCacheName":{"description":"The name of an existing serverless cache. The snapshot is created from this\ncache. Available for Valkey, Redis OSS and Serverless Memcached only.","type":"string","x-kubernetes-validations":[{"message":"Value is immutable once set","rule":"self == oldSelf"}]},"serverlessCacheRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"serverlessCacheSnapshotName":{"description":"The name for the snapshot being created. Must be unique for the customer\naccount. Available for Valkey, Redis OSS and Serverless Memcached only. Must\nbe between 1 and 255 characters.","type":"string","x-kubernetes-validations":[{"message":"Value is immutable once set","rule":"self == oldSelf"}]},"tags":{"description":"A list of tags to be added to the snapshot resource. A tag is a key-value\npair. Available for Valkey, Redis OSS and Serverless Memcached only.","type":"array","items":{"description":"A tag that can be added to an ElastiCache cluster or replication group. Tags\nare composed of a Key/Value pair. You can use tags to categorize and track\nall your ElastiCache resources, with the exception of global replication\ngroup. When you add or remove tags on replication groups, those actions will\nbe replicated to all nodes in the replication group. A tag with a null Value\nis permitted.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"ServerlessCacheSnapshotStatus defines the observed state of ServerlessCacheSnapshot","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"bytesUsedForCache":{"description":"The total size of a serverless cache snapshot, in bytes. Available for Valkey,\nRedis OSS and Serverless Memcached only.","type":"string"},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"createTime":{"description":"The date and time that the source serverless cache's metadata and cache data\nset was obtained for the snapshot. Available for Valkey, Redis OSS and Serverless\nMemcached only.","type":"string","format":"date-time"},"expiryTime":{"description":"The time that the serverless cache snapshot will expire. Available for Valkey,\nRedis OSS and Serverless Memcached only.","type":"string","format":"date-time"},"serverlessCacheConfiguration":{"description":"The configuration of the serverless cache, at the time the snapshot was taken.\nAvailable for Valkey, Redis OSS and Serverless Memcached only.","type":"object","properties":{"engine":{"type":"string"},"majorEngineVersion":{"type":"string"},"serverlessCacheName":{"type":"string"}}},"snapshotType":{"description":"The type of snapshot of serverless cache. Available for Valkey, Redis OSS\nand Serverless Memcached only.","type":"string"},"status":{"description":"The current status of the serverless cache. Available for Valkey, Redis OSS\nand Serverless Memcached only.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"ServerlessCacheSnapshot","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.ServerlessCacheSnapshot"},"aws.k8s.services.elasticache.v1alpha1.ServerlessCacheSnapshotList":{"description":"ServerlessCacheSnapshotList is a list of ServerlessCacheSnapshot","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of serverlesscachesnapshots. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.elasticache.v1alpha1.ServerlessCacheSnapshot"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"ServerlessCacheSnapshotList","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.ServerlessCacheSnapshotList"},"aws.k8s.services.elasticache.v1alpha1.Snapshot":{"description":"Snapshot is the Schema for the Snapshots API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"SnapshotSpec defines the desired state of Snapshot.\n\nRepresents a copy of an entire Valkey or Redis OSS cluster as of the time\nwhen the snapshot was taken.","type":"object","required":["snapshotName"],"properties":{"cacheClusterID":{"description":"The identifier of an existing cluster. The snapshot is created from this\ncluster.","type":"string"},"kmsKeyID":{"description":"The ID of the KMS key used to encrypt the snapshot.","type":"string"},"replicationGroupID":{"description":"The identifier of an existing replication group. The snapshot is created\nfrom this replication group.","type":"string"},"snapshotName":{"description":"A name for the snapshot being created.","type":"string"},"sourceSnapshotName":{"description":"The name of an existing snapshot from which to make a copy.","type":"string"},"tags":{"description":"A list of tags to be added to this resource. A tag is a key-value pair. A\ntag key must be accompanied by a tag value, although null is accepted.","type":"array","items":{"description":"A tag that can be added to an ElastiCache cluster or replication group. Tags\nare composed of a Key/Value pair. You can use tags to categorize and track\nall your ElastiCache resources, with the exception of global replication\ngroup. When you add or remove tags on replication groups, those actions will\nbe replicated to all nodes in the replication group. A tag with a null Value\nis permitted.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"SnapshotStatus defines the observed state of Snapshot","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"autoMinorVersionUpgrade":{"description":"If you are running Valkey 7.2 and above or Redis OSS engine version 6.0 and\nabove, set this parameter to yes if you want to opt-in to the next auto minor\nversion upgrade campaign. This parameter is disabled for previous versions.","type":"boolean"},"automaticFailover":{"description":"Indicates the status of automatic failover for the source Valkey or Redis\nOSS replication group.","type":"string"},"cacheClusterCreateTime":{"description":"The date and time when the source cluster was created.","type":"string","format":"date-time"},"cacheNodeType":{"description":"The name of the compute and memory capacity node type for the source cluster.\n\nThe following node types are supported by ElastiCache. Generally speaking,\nthe current generation types provide more memory and computational power\nat lower cost when compared to their equivalent previous generation counterparts.\n\n   * General purpose: Current generation: M7g node types: cache.m7g.large,\n   cache.m7g.xlarge, cache.m7g.2xlarge, cache.m7g.4xlarge, cache.m7g.8xlarge,\n   cache.m7g.12xlarge, cache.m7g.16xlarge For region availability, see Supported\n   Node Types (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/CacheNodes.SupportedTypes.html#CacheNodes.SupportedTypesByRegion)\n   M6g node types (available only for Redis OSS engine version 5.0.6 onward\n   and for Memcached engine version 1.5.16 onward): cache.m6g.large, cache.m6g.xlarge,\n   cache.m6g.2xlarge, cache.m6g.4xlarge, cache.m6g.8xlarge, cache.m6g.12xlarge,\n   cache.m6g.16xlarge M5 node types: cache.m5.large, cache.m5.xlarge, cache.m5.2xlarge,\n   cache.m5.4xlarge, cache.m5.12xlarge, cache.m5.24xlarge M4 node types:\n   cache.m4.large, cache.m4.xlarge, cache.m4.2xlarge, cache.m4.4xlarge, cache.m4.10xlarge\n   T4g node types (available only for Redis OSS engine version 5.0.6 onward\n   and Memcached engine version 1.5.16 onward): cache.t4g.micro, cache.t4g.small,\n   cache.t4g.medium T3 node types: cache.t3.micro, cache.t3.small, cache.t3.medium\n   T2 node types: cache.t2.micro, cache.t2.small, cache.t2.medium Previous\n   generation: (not recommended. Existing clusters are still supported but\n   creation of new clusters is not supported for these types.) T1 node types:\n   cache.t1.micro M1 node types: cache.m1.small, cache.m1.medium, cache.m1.large,\n   cache.m1.xlarge M3 node types: cache.m3.medium, cache.m3.large, cache.m3.xlarge,\n   cache.m3.2xlarge\n\n   * Compute optimized: Previous generation: (not recommended. Existing clusters\n   are still supported but creation of new clusters is not supported for\n   these types.) C1 node types: cache.c1.xlarge\n\n   * Memory optimized: Current generation: R7g node types: cache.r7g.large,\n   cache.r7g.xlarge, cache.r7g.2xlarge, cache.r7g.4xlarge, cache.r7g.8xlarge,\n   cache.r7g.12xlarge, cache.r7g.16xlarge For region availability, see Supported\n   Node Types (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/CacheNodes.SupportedTypes.html#CacheNodes.SupportedTypesByRegion)\n   R6g node types (available only for Redis OSS engine version 5.0.6 onward\n   and for Memcached engine version 1.5.16 onward): cache.r6g.large, cache.r6g.xlarge,\n   cache.r6g.2xlarge, cache.r6g.4xlarge, cache.r6g.8xlarge, cache.r6g.12xlarge,\n   cache.r6g.16xlarge R5 node types: cache.r5.large, cache.r5.xlarge, cache.r5.2xlarge,\n   cache.r5.4xlarge, cache.r5.12xlarge, cache.r5.24xlarge R4 node types:\n   cache.r4.large, cache.r4.xlarge, cache.r4.2xlarge, cache.r4.4xlarge, cache.r4.8xlarge,\n   cache.r4.16xlarge Previous generation: (not recommended. Existing clusters\n   are still supported but creation of new clusters is not supported for\n   these types.) M2 node types: cache.m2.xlarge, cache.m2.2xlarge, cache.m2.4xlarge\n   R3 node types: cache.r3.large, cache.r3.xlarge, cache.r3.2xlarge, cache.r3.4xlarge,\n   cache.r3.8xlarge\n\nAdditional node type info\n\n   * All current generation instance types are created in Amazon VPC by default.\n\n   * Valkey or Redis OSS append-only files (AOF) are not supported for T1\n   or T2 instances.\n\n   * Valkey or Redis OSS Multi-AZ with automatic failover is not supported\n   on T1 instances.\n\n   * The configuration variables appendonly and appendfsync are not supported\n   on Valkey, or on Redis OSS version 2.8.22 and later.","type":"string"},"cacheParameterGroupName":{"description":"The cache parameter group that is associated with the source cluster.","type":"string"},"cacheSubnetGroupName":{"description":"The name of the cache subnet group associated with the source cluster.","type":"string"},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"dataTiering":{"description":"Enables data tiering. Data tiering is only supported for replication groups\nusing the r6gd node type. This parameter must be set to true when using r6gd\nnodes. For more information, see Data tiering (https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/data-tiering.html).","type":"string"},"engine":{"description":"The name of the cache engine (memcached or redis) used by the source cluster.","type":"string"},"engineVersion":{"description":"The version of the cache engine version that is used by the source cluster.","type":"string"},"nodeSnapshots":{"description":"A list of the cache nodes in the source cluster.","type":"array","items":{"description":"Represents an individual cache node in a snapshot of a cluster.","type":"object","properties":{"cacheClusterID":{"type":"string"},"cacheNodeCreateTime":{"type":"string","format":"date-time"},"cacheNodeID":{"type":"string"},"cacheSize":{"type":"string"},"nodeGroupConfiguration":{"description":"Node group (shard) configuration options. Each node group (shard) configuration\nhas the following: Slots, PrimaryAvailabilityZone, ReplicaAvailabilityZones,\nReplicaCount.","type":"object","properties":{"nodeGroupID":{"type":"string"},"primaryAvailabilityZone":{"type":"string"},"primaryOutpostARN":{"type":"string"},"replicaAvailabilityZones":{"type":"array","items":{"type":"string"}},"replicaCount":{"type":"integer","format":"int64"},"replicaOutpostARNs":{"type":"array","items":{"type":"string"}},"slots":{"type":"string"}}},"nodeGroupID":{"type":"string"},"snapshotCreateTime":{"type":"string","format":"date-time"}}}},"numCacheNodes":{"description":"The number of cache nodes in the source cluster.\n\nFor clusters running Valkey or Redis OSS, this value must be 1. For clusters\nrunning Memcached, this value must be between 1 and 40.","type":"integer","format":"int64"},"numNodeGroups":{"description":"The number of node groups (shards) in this snapshot. When restoring from\na snapshot, the number of node groups (shards) in the snapshot and in the\nrestored replication group must be the same.","type":"integer","format":"int64"},"port":{"description":"The port number used by each cache nodes in the source cluster.","type":"integer","format":"int64"},"preferredAvailabilityZone":{"description":"The name of the Availability Zone in which the source cluster is located.","type":"string"},"preferredMaintenanceWindow":{"description":"Specifies the weekly time range during which maintenance on the cluster is\nperformed. It is specified as a range in the format ddd:hh24:mi-ddd:hh24:mi\n(24H Clock UTC). The minimum maintenance window is a 60 minute period.\n\nValid values for ddd are:\n\n   * sun\n\n   * mon\n\n   * tue\n\n   * wed\n\n   * thu\n\n   * fri\n\n   * sat\n\nExample: sun:23:00-mon:01:30","type":"string"},"preferredOutpostARN":{"description":"The ARN (Amazon Resource Name) of the preferred outpost.","type":"string"},"replicationGroupDescription":{"description":"A description of the source replication group.","type":"string"},"snapshotRetentionLimit":{"description":"For an automatic snapshot, the number of days for which ElastiCache retains\nthe snapshot before deleting it.\n\nFor manual snapshots, this field reflects the SnapshotRetentionLimit for\nthe source cluster when the snapshot was created. This field is otherwise\nignored: Manual snapshots do not expire, and can only be deleted using the\nDeleteSnapshot operation.\n\nImportant If the value of SnapshotRetentionLimit is set to zero (0), backups\nare turned off.","type":"integer","format":"int64"},"snapshotSource":{"description":"Indicates whether the snapshot is from an automatic backup (automated) or\nwas created manually (manual).","type":"string"},"snapshotStatus":{"description":"The status of the snapshot. Valid values: creating | available | restoring\n| copying | deleting.","type":"string"},"snapshotWindow":{"description":"The daily time range during which ElastiCache takes daily snapshots of the\nsource cluster.","type":"string"},"topicARN":{"description":"The Amazon Resource Name (ARN) for the topic used by the source cluster for\npublishing notifications.","type":"string"},"vpcID":{"description":"The Amazon Virtual Private Cloud identifier (VPC ID) of the cache subnet\ngroup for the source cluster.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"Snapshot","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.Snapshot"},"aws.k8s.services.elasticache.v1alpha1.SnapshotList":{"description":"SnapshotList is a list of Snapshot","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of snapshots. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.elasticache.v1alpha1.Snapshot"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"SnapshotList","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.SnapshotList"},"aws.k8s.services.elasticache.v1alpha1.User":{"description":"User is the Schema for the Users API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["accessString","engine","userID","userName"],"properties":{"accessString":{"description":"Access permissions string used for this user.\n\nRegex Pattern: `\\S`","type":"string"},"engine":{"description":"The options are valkey or redis.\n\nRegex Pattern: `^[a-zA-Z]*$`","type":"string"},"noPasswordRequired":{"description":"Indicates a password is not required for this user.","type":"boolean"},"passwords":{"description":"Passwords used for this user. You can create up to two passwords for each\nuser.","type":"array","items":{"description":"SecretKeyReference combines a k8s corev1.SecretReference with a\nspecific key within the referred-to Secret","type":"object","required":["key"],"properties":{"key":{"description":"Key is the key within the secret","type":"string"},"name":{"description":"name is unique within a namespace to reference a secret resource.","type":"string"},"namespace":{"description":"namespace defines the space within which the secret name must be unique.","type":"string"}},"x-kubernetes-map-type":"atomic"}},"tags":{"description":"A list of tags to be added to this resource. A tag is a key-value pair. A\ntag key must be accompanied by a tag value, although null is accepted.","type":"array","items":{"description":"A tag that can be added to an ElastiCache cluster or replication group. Tags\nare composed of a Key/Value pair. You can use tags to categorize and track\nall your ElastiCache resources, with the exception of global replication\ngroup. When you add or remove tags on replication groups, those actions will\nbe replicated to all nodes in the replication group. A tag with a null Value\nis permitted.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"userID":{"description":"The ID of the user.\n\nRegex Pattern: `^[a-zA-Z][a-zA-Z0-9\\-]*$`","type":"string"},"userName":{"description":"The username of the user.","type":"string"}}},"status":{"description":"UserStatus defines the observed state of User","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"authentication":{"description":"Denotes whether the user requires a password to authenticate.","type":"object","properties":{"passwordCount":{"type":"integer","format":"int64"},"type_":{"type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"expandedAccessString":{"description":"Access permissions string used for this user.","type":"string"},"lastRequestedAccessString":{"description":"Access permissions string used for this user.","type":"string"},"minimumEngineVersion":{"description":"The minimum engine version required, which is Redis OSS 6.0","type":"string"},"status":{"description":"Indicates the user status. Can be \"active\", \"modifying\" or \"deleting\".","type":"string"},"userGroupIDs":{"description":"Returns a list of the user group IDs the user belongs to.","type":"array","items":{"type":"string"}}}}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"User","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.User"},"aws.k8s.services.elasticache.v1alpha1.UserGroup":{"description":"UserGroup is the Schema for the UserGroups API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["engine","userGroupID"],"properties":{"engine":{"description":"Sets the engine listed in a user group. The options are valkey or redis.\n\nRegex Pattern: `^[a-zA-Z]*$`","type":"string"},"tags":{"description":"A list of tags to be added to this resource. A tag is a key-value pair. A\ntag key must be accompanied by a tag value, although null is accepted. Available\nfor Valkey and Redis OSS only.","type":"array","items":{"description":"A tag that can be added to an ElastiCache cluster or replication group. Tags\nare composed of a Key/Value pair. You can use tags to categorize and track\nall your ElastiCache resources, with the exception of global replication\ngroup. When you add or remove tags on replication groups, those actions will\nbe replicated to all nodes in the replication group. A tag with a null Value\nis permitted.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"userGroupID":{"description":"The ID of the user group.","type":"string"},"userIDs":{"description":"The list of user IDs that belong to the user group.","type":"array","items":{"type":"string"}}}},"status":{"description":"UserGroupStatus defines the observed state of UserGroup","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"minimumEngineVersion":{"description":"The minimum engine version required, which is Redis OSS 6.0","type":"string"},"pendingChanges":{"description":"A list of updates being applied to the user group.","type":"object","properties":{"userIDsToAdd":{"type":"array","items":{"type":"string"}},"userIDsToRemove":{"type":"array","items":{"type":"string"}}}},"replicationGroups":{"description":"A list of replication groups that the user group can access.","type":"array","items":{"type":"string"}},"status":{"description":"Indicates user group status. Can be \"creating\", \"active\", \"modifying\", \"deleting\".","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"UserGroup","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.UserGroup"},"aws.k8s.services.elasticache.v1alpha1.UserGroupList":{"description":"UserGroupList is a list of UserGroup","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of usergroups. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.elasticache.v1alpha1.UserGroup"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"UserGroupList","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.UserGroupList"},"aws.k8s.services.elasticache.v1alpha1.UserList":{"description":"UserList is a list of User","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of users. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.elasticache.v1alpha1.User"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"elasticache.services.k8s.aws","kind":"UserList","version":"v1alpha1"}],"title":"aws.k8s.services.elasticache.v1alpha1.UserList"},"aws.k8s.services.opensearchservice.v1alpha1.Domain":{"description":"Domain is the Schema for the Domains API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DomainSpec defines the desired state of Domain.","type":"object","required":["name"],"properties":{"accessPolicies":{"description":"Identity and Access Management (IAM) policy document specifying the access\npolicies for the new domain.\n\nRegex Pattern: `.*`","type":"string"},"advancedOptions":{"description":"Key-value pairs to specify advanced configuration options. The following\nkey-value pairs are supported:\n\n  - \"rest.action.multi.allow_explicit_index\": \"true\" | \"false\" - Note the\n    use of a string rather than a boolean. Specifies whether explicit references\n    to indexes are allowed inside the body of HTTP requests. If you want to\n    configure access policies for domain sub-resources, such as specific indexes\n    and domain APIs, you must disable this property. Default is true.\n\n  - \"indices.fielddata.cache.size\": \"80\" - Note the use of a string rather\n    than a boolean. Specifies the percentage of heap space allocated to field\n    data. Default is unbounded.\n\n  - \"indices.query.bool.max_clause_count\": \"1024\" - Note the use of a string\n    rather than a boolean. Specifies the maximum number of clauses allowed\n    in a Lucene boolean query. Default is 1,024. Queries with more than the\n    permitted number of clauses result in a TooManyClauses error.\n\n  - \"override_main_response_version\": \"true\" | \"false\" - Note the use of\n    a string rather than a boolean. Specifies whether the domain reports its\n    version as 7.10 to allow Elasticsearch OSS clients and plugins to continue\n    working with it. Default is false when creating a domain and true when\n    upgrading a domain.\n\nFor more information, see Advanced cluster parameters (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createupdatedomains.html#createdomain-configure-advanced-options).","type":"object","additionalProperties":{"type":"string"}},"advancedSecurityOptions":{"description":"Options for fine-grained access control.","type":"object","properties":{"anonymousAuthEnabled":{"type":"boolean"},"enabled":{"type":"boolean"},"internalUserDatabaseEnabled":{"type":"boolean"},"jwtOptions":{"description":"The JWT authentication and authorization configuration for an Amazon OpenSearch\nService domain.","type":"object","properties":{"enabled":{"type":"boolean"},"publicKey":{"type":"string"},"rolesKey":{"type":"string"},"subjectKey":{"type":"string"}}},"masterUserOptions":{"description":"Credentials for the master user for a domain.","type":"object","properties":{"masterUserARN":{"description":"The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities\n(https://docs.aws.amazon.com/IAM/latest/UserGuide/index.html) in Using Amazon\nWeb Services Identity and Access Management for more information.","type":"string"},"masterUserName":{"type":"string"},"masterUserPassword":{"description":"SecretKeyReference combines a k8s corev1.SecretReference with a\nspecific key within the referred-to Secret","type":"object","required":["key"],"properties":{"key":{"description":"Key is the key within the secret","type":"string"},"name":{"description":"name is unique within a namespace to reference a secret resource.","type":"string"},"namespace":{"description":"namespace defines the space within which the secret name must be unique.","type":"string"}},"x-kubernetes-map-type":"atomic"}}},"sAMLOptions":{"description":"The SAML authentication configuration for an Amazon OpenSearch Service domain.","type":"object","properties":{"enabled":{"type":"boolean"},"idp":{"description":"The SAML identity povider information.","type":"object","properties":{"entityID":{"type":"string"},"metadataContent":{"type":"string"}}},"masterBackendRole":{"type":"string"},"masterUserName":{"type":"string"},"rolesKey":{"type":"string"},"sessionTimeoutMinutes":{"type":"integer","format":"int64"},"subjectKey":{"type":"string"}}}}},"aimlOptions":{"description":"Options for all machine learning features for the specified domain.","type":"object","properties":{"naturalLanguageQueryGenerationOptions":{"description":"Container for parameters required to enable the natural language query generation\nfeature.","type":"object","properties":{"desiredState":{"type":"string"}}}}},"autoTuneOptions":{"description":"Options for Auto-Tune.","type":"object","properties":{"desiredState":{"description":"The Auto-Tune desired state. Valid values are ENABLED and DISABLED.","type":"string"},"maintenanceSchedules":{"type":"array","items":{"description":"This object is deprecated. Use the domain's off-peak window (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/off-peak.html)\nto schedule Auto-Tune optimizations. For migration instructions, see Migrating\nfrom Auto-Tune maintenance windows (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/off-peak.html#off-peak-migrate).\n\nThe Auto-Tune maintenance schedule. For more information, see Auto-Tune for\nAmazon OpenSearch Service (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/auto-tune.html).","type":"object","properties":{"cronExpressionForRecurrence":{"type":"string"},"duration":{"description":"The duration of a maintenance schedule. For more information, see Auto-Tune\nfor Amazon OpenSearch Service (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/auto-tune.html).","type":"object","properties":{"unit":{"description":"The unit of a maintenance schedule duration. Valid value is HOUR.","type":"string"},"value":{"description":"Integer that specifies the value of a maintenance schedule duration.","type":"integer","format":"int64"}}},"startAt":{"type":"string","format":"date-time"}}}},"useOffPeakWindow":{"type":"boolean"}}},"clusterConfig":{"description":"Container for the cluster configuration of a domain.","type":"object","properties":{"coldStorageOptions":{"description":"Container for the parameters required to enable cold storage for an OpenSearch\nService domain. For more information, see Cold storage for Amazon OpenSearch\nService (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cold-storage.html).","type":"object","properties":{"enabled":{"type":"boolean"}}},"dedicatedMasterCount":{"type":"integer","format":"int64"},"dedicatedMasterEnabled":{"type":"boolean"},"dedicatedMasterType":{"type":"string"},"instanceCount":{"type":"integer","format":"int64"},"instanceType":{"type":"string"},"multiAZWithStandbyEnabled":{"type":"boolean"},"warmCount":{"type":"integer","format":"int64"},"warmEnabled":{"type":"boolean"},"warmType":{"type":"string"},"zoneAwarenessConfig":{"description":"The zone awareness configuration for an Amazon OpenSearch Service domain.","type":"object","properties":{"availabilityZoneCount":{"type":"integer","format":"int64"}}},"zoneAwarenessEnabled":{"type":"boolean"}}},"cognitoOptions":{"description":"Key-value pairs to configure Amazon Cognito authentication. For more information,\nsee Configuring Amazon Cognito authentication for OpenSearch Dashboards (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cognito-auth.html).","type":"object","properties":{"enabled":{"type":"boolean"},"identityPoolID":{"type":"string"},"roleARN":{"type":"string"},"userPoolID":{"type":"string"}}},"domainEndpointOptions":{"description":"Additional options for the domain endpoint, such as whether to require HTTPS\nfor all traffic.","type":"object","properties":{"customEndpoint":{"type":"string"},"customEndpointCertificateARN":{"description":"The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities\n(https://docs.aws.amazon.com/IAM/latest/UserGuide/index.html) in Using Amazon\nWeb Services Identity and Access Management for more information.","type":"string"},"customEndpointEnabled":{"type":"boolean"},"enforceHTTPS":{"type":"boolean"},"tlsSecurityPolicy":{"type":"string"}}},"ebsOptions":{"description":"Container for the parameters required to enable EBS-based storage for an\nOpenSearch Service domain.","type":"object","properties":{"ebsEnabled":{"type":"boolean"},"iops":{"type":"integer","format":"int64"},"throughput":{"type":"integer","format":"int64"},"volumeSize":{"type":"integer","format":"int64"},"volumeType":{"description":"The type of EBS volume that a domain uses. For more information, see Configuring\nEBS-based storage (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/opensearch-createupdatedomains.html#opensearch-createdomain-configure-ebs).","type":"string"}}},"encryptionAtRestOptions":{"description":"Key-value pairs to enable encryption at rest.","type":"object","properties":{"enabled":{"type":"boolean"},"kmsKeyID":{"type":"string"}}},"engineVersion":{"description":"String of format Elasticsearch_X.Y or OpenSearch_X.Y to specify the engine\nversion for the OpenSearch Service domain. For example, OpenSearch_1.0 or\nElasticsearch_7.9. For more information, see Creating and managing Amazon\nOpenSearch Service domains (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createupdatedomains.html#createdomains).\n\nRegex Pattern: `^Elasticsearch_[0-9]{1}\\.[0-9]{1,2}$|^OpenSearch_[0-9]{1,2}\\.[0-9]{1,2}$`","type":"string"},"ipAddressType":{"description":"Specify either dual stack or IPv4 as your IP address type. Dual stack allows\nyou to share domain resources across IPv4 and IPv6 address types, and is\nthe recommended option. If you set your IP address type to dual stack, you\ncan't change your address type later.","type":"string"},"logPublishingOptions":{"description":"Key-value pairs to configure log publishing.","type":"object","additionalProperties":{"description":"Specifies whether the Amazon OpenSearch Service domain publishes the OpenSearch\napplication and slow logs to Amazon CloudWatch. For more information, see\nMonitoring OpenSearch logs with Amazon CloudWatch Logs (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html).\n\nAfter you enable log publishing, you still have to enable the collection\nof slow logs using the OpenSearch REST API.","type":"object","properties":{"cloudWatchLogsLogGroupARN":{"description":"ARN of the Cloudwatch log group to publish logs to.","type":"string"},"enabled":{"type":"boolean"}}}},"name":{"description":"Name of the OpenSearch Service domain to create. Domain names are unique\nacross the domains owned by an account within an Amazon Web Services Region.\n\nRegex Pattern: `^[a-z][a-z0-9\\-]+$`","type":"string"},"nodeToNodeEncryptionOptions":{"description":"Enables node-to-node encryption.","type":"object","properties":{"enabled":{"type":"boolean"}}},"offPeakWindowOptions":{"description":"Specifies a daily 10-hour time block during which OpenSearch Service can\nperform configuration changes on the domain, including service software updates\nand Auto-Tune enhancements that require a blue/green deployment. If no options\nare specified, the default start time of 10:00 P.M. local time (for the Region\nthat the domain is created in) is used.","type":"object","properties":{"enabled":{"type":"boolean"},"offPeakWindow":{"description":"A custom 10-hour, low-traffic window during which OpenSearch Service can\nperform mandatory configuration changes on the domain. These actions can\ninclude scheduled service software updates and blue/green Auto-Tune enhancements.\nOpenSearch Service will schedule these actions during the window that you\nspecify.\n\nIf you don't specify a window start time, it defaults to 10:00 P.M. local\ntime.\n\nFor more information, see Defining off-peak maintenance windows for Amazon\nOpenSearch Service (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/off-peak.html).","type":"object","properties":{"windowStartTime":{"description":"The desired start time for an off-peak maintenance window (https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_OffPeakWindow.html).","type":"object","properties":{"hours":{"type":"integer","format":"int64"},"minutes":{"type":"integer","format":"int64"}}}}}}},"softwareUpdateOptions":{"description":"Software update options for the domain.","type":"object","properties":{"autoSoftwareUpdateEnabled":{"type":"boolean"}}},"tags":{"description":"List of tags to add to the domain upon creation.","type":"array","items":{"description":"A tag (key-value pair) for an Amazon OpenSearch Service resource.","type":"object","properties":{"key":{"description":"A string between 1 to 128 characters that specifies the key for a tag. Tag\nkeys must be unique for the domain to which they're attached.","type":"string"},"value":{"description":"A string between 0 to 256 characters that specifies the value for a tag.\nTag values can be null and don't have to be unique in a tag set.","type":"string"}}}},"vpcOptions":{"description":"Container for the values required to configure VPC access domains. If you\ndon't specify these values, OpenSearch Service creates the domain with a\npublic endpoint. For more information, see Launching your Amazon OpenSearch\nService domains using a VPC (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/vpc.html).","type":"object","properties":{"securityGroupIDs":{"type":"array","items":{"type":"string"}},"subnetIDs":{"type":"array","items":{"type":"string"}}}}}},"status":{"description":"DomainStatus defines the observed state of Domain","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"changeProgressDetails":{"description":"Information about a configuration change happening on the domain.","type":"object","properties":{"changeID":{"type":"string"},"configChangeStatus":{"type":"string"},"initiatedBy":{"type":"string"},"lastUpdatedTime":{"type":"string","format":"date-time"},"message":{"type":"string"},"startTime":{"type":"string","format":"date-time"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"created":{"description":"Creation status of an OpenSearch Service domain. True if domain creation\nis complete. False if domain creation is still in progress.","type":"boolean"},"deleted":{"description":"Deletion status of an OpenSearch Service domain. True if domain deletion\nis complete. False if domain deletion is still in progress. Once deletion\nis complete, the status of the domain is no longer returned.","type":"boolean"},"domainEndpointV2HostedZoneID":{"description":"The dual stack hosted zone ID for the domain.","type":"string"},"domainID":{"description":"Unique identifier for the domain.","type":"string"},"domainProcessingStatus":{"description":"The status of any changes that are currently in progress for the domain.","type":"string"},"endpoint":{"description":"Domain-specific endpoint used to submit index, search, and data upload requests\nto the domain.","type":"string"},"endpointV2":{"description":"If IPAddressType to set to dualstack, a version 2 domain endpoint is provisioned.\nThis endpoint functions like a normal endpoint, except that it works with\nboth IPv4 and IPv6 IP addresses. Normal endpoints work only with IPv4 IP\naddresses.","type":"string"},"endpoints":{"description":"The key-value pair that exists if the OpenSearch Service domain uses VPC\nendpoints. For example:\n\n   * IPv4 IP addresses - 'vpc','vpc-endpoint-h2dsd34efgyghrtguk5gt6j2foh4.us-east-1.es.amazonaws.com'\n\n   * Dual stack IP addresses - 'vpcv2':'vpc-endpoint-h2dsd34efgyghrtguk5gt6j2foh4.aos.us-east-1.on.aws'","type":"object","additionalProperties":{"type":"string"}},"modifyingProperties":{"description":"Information about the domain properties that are currently being modified.","type":"array","items":{"description":"Information about the domain properties that are currently being modified.","type":"object","properties":{"activeValue":{"type":"string"},"name":{"type":"string"},"pendingValue":{"type":"string"},"valueType":{"type":"string"}}}},"processing":{"description":"The status of the domain configuration. True if OpenSearch Service is processing\nconfiguration changes. False if the configuration is active.","type":"boolean"},"serviceSoftwareOptions":{"description":"The current status of the domain's service software.","type":"object","properties":{"automatedUpdateDate":{"type":"string","format":"date-time"},"cancellable":{"type":"boolean"},"currentVersion":{"type":"string"},"description":{"type":"string"},"newVersion":{"type":"string"},"optionalDeployment":{"type":"boolean"},"updateAvailable":{"type":"boolean"},"updateStatus":{"type":"string"}}},"snapshotOptions":{"description":"DEPRECATED. Container for parameters required to configure automated snapshots\nof domain indexes.","type":"object","properties":{"automatedSnapshotStartHour":{"type":"integer","format":"int64"}}},"upgradeProcessing":{"description":"The status of a domain version upgrade to a new version of OpenSearch or\nElasticsearch. True if OpenSearch Service is in the process of a version\nupgrade. False if the configuration is active.","type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"opensearchservice.services.k8s.aws","kind":"Domain","version":"v1alpha1"}],"title":"aws.k8s.services.opensearchservice.v1alpha1.Domain"},"aws.k8s.services.opensearchservice.v1alpha1.DomainList":{"description":"DomainList is a list of Domain","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of domains. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.opensearchservice.v1alpha1.Domain"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"opensearchservice.services.k8s.aws","kind":"DomainList","version":"v1alpha1"}],"title":"aws.k8s.services.opensearchservice.v1alpha1.DomainList"},"aws.k8s.services.rds.v1alpha1.DBCluster":{"description":"DBCluster is the Schema for the DBClusters API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DBClusterSpec defines the desired state of DBCluster.\n\nContains the details of an Amazon Aurora DB cluster or Multi-AZ DB cluster.\n\nFor an Amazon Aurora DB cluster, this data type is used as a response element\nin the operations CreateDBCluster, DeleteDBCluster, DescribeDBClusters, FailoverDBCluster,\nModifyDBCluster, PromoteReadReplicaDBCluster, RestoreDBClusterFromS3, RestoreDBClusterFromSnapshot,\nRestoreDBClusterToPointInTime, StartDBCluster, and StopDBCluster.\n\nFor a Multi-AZ DB cluster, this data type is used as a response element in\nthe operations CreateDBCluster, DeleteDBCluster, DescribeDBClusters, FailoverDBCluster,\nModifyDBCluster, RebootDBCluster, RestoreDBClusterFromSnapshot, and RestoreDBClusterToPointInTime.\n\nFor more information on Amazon Aurora DB clusters, see What is Amazon Aurora?\n(https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_AuroraOverview.html)\nin the Amazon Aurora User Guide.\n\nFor more information on Multi-AZ DB clusters, see Multi-AZ deployments with\ntwo readable standby DB instances (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/multi-az-db-clusters-concepts.html)\nin the Amazon RDS User Guide.","type":"object","required":["dbClusterIdentifier","engine"],"properties":{"allocatedStorage":{"description":"The amount of storage in gibibytes (GiB) to allocate to each DB instance\nin the Multi-AZ DB cluster.\n\nValid for Cluster Type: Multi-AZ DB clusters only\n\nThis setting is required to create a Multi-AZ DB cluster.","type":"integer","format":"int64"},"autoMinorVersionUpgrade":{"description":"Specifies whether minor engine upgrades are applied automatically to the\nDB cluster during the maintenance window. By default, minor engine upgrades\nare applied automatically.\n\nValid for Cluster Type: Multi-AZ DB clusters only","type":"boolean"},"availabilityZones":{"description":"A list of Availability Zones (AZs) where you specifically want to create\nDB instances in the DB cluster.\n\nFor information on AZs, see Availability Zones (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.RegionsAndAvailabilityZones.html#Concepts.RegionsAndAvailabilityZones.AvailabilityZones)\nin the Amazon Aurora User Guide.\n\nValid for Cluster Type: Aurora DB clusters only\n\nConstraints:\n\n  - Can't specify more than three AZs.","type":"array","items":{"type":"string"}},"backtrackWindow":{"description":"The target backtrack window, in seconds. To disable backtracking, set this\nvalue to 0.\n\nValid for Cluster Type: Aurora MySQL DB clusters only\n\nDefault: 0\n\nConstraints:\n\n  - If specified, this value must be set to a number from 0 to 259,200 (72\n    hours).","type":"integer","format":"int64"},"backupRetentionPeriod":{"description":"The number of days for which automated backups are retained.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nDefault: 1\n\nConstraints:\n\n  - Must be a value from 1 to 35.","type":"integer","format":"int64"},"characterSetName":{"description":"The name of the character set (CharacterSet) to associate the DB cluster\nwith.\n\nValid for Cluster Type: Aurora DB clusters only","type":"string"},"copyTagsToSnapshot":{"description":"Specifies whether to copy all tags from the DB cluster to snapshots of the\nDB cluster. The default is not to copy them.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters","type":"boolean"},"databaseInsightsMode":{"description":"Specifies the mode of Database Insights to enable for the cluster.","type":"string"},"databaseName":{"description":"The name for your database of up to 64 alphanumeric characters. A database\nnamed postgres is always created. If this parameter is specified, an additional\ndatabase with this name is created.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters","type":"string"},"dbClusterIdentifier":{"description":"The identifier for this DB cluster. This parameter is stored as a lowercase\nstring.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nConstraints:\n\n  - Must contain from 1 to 63 (for Aurora DB clusters) or 1 to 52 (for Multi-AZ\n    DB clusters) letters, numbers, or hyphens.\n\n  - First character must be a letter.\n\n  - Can't end with a hyphen or contain two consecutive hyphens.\n\nExample: my-cluster1","type":"string"},"dbClusterInstanceClass":{"description":"The compute and memory capacity of each DB instance in the Multi-AZ DB cluster,\nfor example db.m6gd.xlarge. Not all DB instance classes are available in\nall Amazon Web Services Regions, or for all database engines.\n\nFor the full list of DB instance classes and availability for your engine,\nsee DB instance class (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html)\nin the Amazon RDS User Guide.\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nValid for Cluster Type: Multi-AZ DB clusters only","type":"string"},"dbClusterParameterGroupName":{"description":"The name of the DB cluster parameter group to associate with this DB cluster.\nIf you don't specify a value, then the default DB cluster parameter group\nfor the specified DB engine and version is used.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nConstraints:\n\n  - If supplied, must match the name of an existing DB cluster parameter\n    group.","type":"string"},"dbClusterParameterGroupRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"dbSubnetGroupName":{"description":"A DB subnet group to associate with this DB cluster.\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nConstraints:\n\n  - Must match the name of an existing DB subnet group.\n\nExample: mydbsubnetgroup","type":"string"},"dbSubnetGroupRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"dbSystemID":{"description":"Reserved for future use.","type":"string"},"deletionProtection":{"description":"Specifies whether the DB cluster has deletion protection enabled. The database\ncan't be deleted when deletion protection is enabled. By default, deletion\nprotection isn't enabled.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters","type":"boolean"},"destinationRegion":{"description":"DestinationRegion is used for presigning the request to a given region.","type":"string"},"domain":{"description":"The Active Directory directory ID to create the DB cluster in.\n\nFor Amazon Aurora DB clusters, Amazon RDS can use Kerberos authentication\nto authenticate users that connect to the DB cluster.\n\nFor more information, see Kerberos authentication (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/kerberos-authentication.html)\nin the Amazon Aurora User Guide.\n\nValid for Cluster Type: Aurora DB clusters only","type":"string"},"domainIAMRoleName":{"description":"The name of the IAM role to use when making API calls to the Directory Service.\n\nValid for Cluster Type: Aurora DB clusters only","type":"string"},"enableCloudwatchLogsExports":{"description":"The list of log types that need to be enabled for exporting to CloudWatch\nLogs.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nThe following values are valid for each DB engine:\n\n  - Aurora MySQL - audit | error | general | slowquery\n\n  - Aurora PostgreSQL - postgresql\n\n  - RDS for MySQL - error | general | slowquery\n\n  - RDS for PostgreSQL - postgresql | upgrade\n\nFor more information about exporting CloudWatch Logs for Amazon RDS, see\nPublishing Database Logs to Amazon CloudWatch Logs (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch)\nin the Amazon RDS User Guide.\n\nFor more information about exporting CloudWatch Logs for Amazon Aurora, see\nPublishing Database Logs to Amazon CloudWatch Logs (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch)\nin the Amazon Aurora User Guide.","type":"array","items":{"type":"string"}},"enableGlobalWriteForwarding":{"description":"Specifies whether to enable this DB cluster to forward write operations to\nthe primary cluster of a global cluster (Aurora global database). By default,\nwrite operations are not allowed on Aurora DB clusters that are secondary\nclusters in an Aurora global database.\n\nYou can set this value only on Aurora DB clusters that are members of an\nAurora global database. With this parameter enabled, a secondary cluster\ncan forward writes to the current primary cluster, and the resulting changes\nare replicated back to this cluster. For the primary DB cluster of an Aurora\nglobal database, this value is used immediately if the primary is demoted\nby a global cluster API operation, but it does nothing until then.\n\nValid for Cluster Type: Aurora DB clusters only","type":"boolean"},"enableHTTPEndpoint":{"description":"Specifies whether to enable the HTTP endpoint for the DB cluster. By default,\nthe HTTP endpoint isn't enabled.\n\nWhen enabled, the HTTP endpoint provides a connectionless web service API\n(RDS Data API) for running SQL queries on the DB cluster. You can also query\nyour database from inside the RDS console with the RDS query editor.\n\nRDS Data API is supported with the following DB clusters:\n\n  - Aurora PostgreSQL Serverless v2 and provisioned\n\n  - Aurora PostgreSQL and Aurora MySQL Serverless v1\n\nFor more information, see Using RDS Data API (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html)\nin the Amazon Aurora User Guide.\n\nValid for Cluster Type: Aurora DB clusters only","type":"boolean"},"enableIAMDatabaseAuthentication":{"description":"Specifies whether to enable mapping of Amazon Web Services Identity and Access\nManagement (IAM) accounts to database accounts. By default, mapping isn't\nenabled.\n\nFor more information, see IAM Database Authentication (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html)\nin the Amazon Aurora User Guide or IAM database authentication for MariaDB,\nMySQL, and PostgreSQL (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html)\nin the Amazon RDS User Guide.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters","type":"boolean"},"enablePerformanceInsights":{"description":"Specifies whether to turn on Performance Insights for the DB cluster.\n\nFor more information, see Using Amazon Performance Insights (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.html)\nin the Amazon RDS User Guide.\n\nValid for Cluster Type: Multi-AZ DB clusters only","type":"boolean"},"engine":{"description":"The database engine to use for this DB cluster.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values:\n\n  - aurora-mysql\n\n  - aurora-postgresql\n\n  - mysql\n\n  - postgres\n\n  - neptune - For information about using Amazon Neptune, see the Amazon\n    Neptune User Guide (https://docs.aws.amazon.com/neptune/latest/userguide/intro.html).","type":"string"},"engineMode":{"description":"The DB engine mode of the DB cluster, either provisioned or serverless.\n\nThe serverless engine mode only applies for Aurora Serverless v1 DB clusters.\nAurora Serverless v2 DB clusters use the provisioned engine mode.\n\nFor information about limitations and requirements for Serverless DB clusters,\nsee the following sections in the Amazon Aurora User Guide:\n\n  - Limitations of Aurora Serverless v1 (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html#aurora-serverless.limitations)\n\n  - Requirements for Aurora Serverless v2 (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.requirements.html)\n\nValid for Cluster Type: Aurora DB clusters only","type":"string"},"engineVersion":{"description":"The version number of the database engine to use.\n\nTo list all of the available engine versions for Aurora MySQL version 2 (5.7-compatible)\nand version 3 (MySQL 8.0-compatible), use the following command:\n\naws rds describe-db-engine-versions --engine aurora-mysql --query \"DBEngineVersions[].EngineVersion\"\n\nYou can supply either 5.7 or 8.0 to use the default engine version for Aurora\nMySQL version 2 or version 3, respectively.\n\nTo list all of the available engine versions for Aurora PostgreSQL, use the\nfollowing command:\n\naws rds describe-db-engine-versions --engine aurora-postgresql --query \"DBEngineVersions[].EngineVersion\"\n\nTo list all of the available engine versions for RDS for MySQL, use the following\ncommand:\n\naws rds describe-db-engine-versions --engine mysql --query \"DBEngineVersions[].EngineVersion\"\n\nTo list all of the available engine versions for RDS for PostgreSQL, use\nthe following command:\n\naws rds describe-db-engine-versions --engine postgres --query \"DBEngineVersions[].EngineVersion\"\n\nFor information about a specific engine, see the following topics:\n\n  - Aurora MySQL - see Database engine updates for Amazon Aurora MySQL (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Updates.html)\n    in the Amazon Aurora User Guide.\n\n  - Aurora PostgreSQL - see Amazon Aurora PostgreSQL releases and engine\n    versions (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Updates.20180305.html)\n    in the Amazon Aurora User Guide.\n\n  - RDS for MySQL - see Amazon RDS for MySQL (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt)\n    in the Amazon RDS User Guide.\n\n  - RDS for PostgreSQL - see Amazon RDS for PostgreSQL (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts)\n    in the Amazon RDS User Guide.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters","type":"string"},"globalClusterIdentifier":{"description":"The global cluster ID of an Aurora cluster that becomes the primary cluster\nin the new global database cluster.\n\nValid for Cluster Type: Aurora DB clusters only","type":"string"},"iops":{"description":"The amount of Provisioned IOPS (input/output operations per second) to be\ninitially allocated for each DB instance in the Multi-AZ DB cluster.\n\nFor information about valid IOPS values, see Provisioned IOPS storage (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#USER_PIOPS)\nin the Amazon RDS User Guide.\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nValid for Cluster Type: Multi-AZ DB clusters only\n\nConstraints:\n\n  - Must be a multiple between .5 and 50 of the storage amount for the DB\n    cluster.","type":"integer","format":"int64"},"kmsKeyID":{"description":"The Amazon Web Services KMS key identifier for an encrypted DB cluster.\n\nThe Amazon Web Services KMS key identifier is the key ARN, key ID, alias\nARN, or alias name for the KMS key. To use a KMS key in a different Amazon\nWeb Services account, specify the key ARN or alias ARN.\n\nWhen a KMS key isn't specified in KmsKeyId:\n\n  - If ReplicationSourceIdentifier identifies an encrypted source, then\n    Amazon RDS uses the KMS key used to encrypt the source. Otherwise, Amazon\n    RDS uses your default KMS key.\n\n  - If the StorageEncrypted parameter is enabled and ReplicationSourceIdentifier\n    isn't specified, then Amazon RDS uses your default KMS key.\n\nThere is a default KMS key for your Amazon Web Services account. Your Amazon\nWeb Services account has a different default KMS key for each Amazon Web\nServices Region.\n\nIf you create a read replica of an encrypted DB cluster in another Amazon\nWeb Services Region, make sure to set KmsKeyId to a KMS key identifier that\nis valid in the destination Amazon Web Services Region. This KMS key is used\nto encrypt the read replica in that Amazon Web Services Region.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters","type":"string"},"kmsKeyRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"manageMasterUserPassword":{"description":"Specifies whether to manage the master user password with Amazon Web Services\nSecrets Manager.\n\nFor more information, see Password management with Amazon Web Services Secrets\nManager (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html)\nin the Amazon RDS User Guide and Password management with Amazon Web Services\nSecrets Manager (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html)\nin the Amazon Aurora User Guide.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nConstraints:\n\n  - Can't manage the master user password with Amazon Web Services Secrets\n    Manager if MasterUserPassword is specified.","type":"boolean"},"masterUserPassword":{"description":"The password for the master database user.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nConstraints:\n\n  - Must contain from 8 to 41 characters.\n\n  - Can contain any printable ASCII character except \"/\", \"\"\", or \"@\".\n\n  - Can't be specified if ManageMasterUserPassword is turned on.","type":"object","required":["key"],"properties":{"key":{"description":"Key is the key within the secret","type":"string"},"name":{"description":"name is unique within a namespace to reference a secret resource.","type":"string"},"namespace":{"description":"namespace defines the space within which the secret name must be unique.","type":"string"}},"x-kubernetes-map-type":"atomic"},"masterUserSecretKMSKeyID":{"description":"The Amazon Web Services KMS key identifier to encrypt a secret that is automatically\ngenerated and managed in Amazon Web Services Secrets Manager.\n\nThis setting is valid only if the master user password is managed by RDS\nin Amazon Web Services Secrets Manager for the DB cluster.\n\nThe Amazon Web Services KMS key identifier is the key ARN, key ID, alias\nARN, or alias name for the KMS key. To use a KMS key in a different Amazon\nWeb Services account, specify the key ARN or alias ARN.\n\nIf you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager\nKMS key is used to encrypt the secret. If the secret is in a different Amazon\nWeb Services account, then you can't use the aws/secretsmanager KMS key to\nencrypt the secret, and you must use a customer managed KMS key.\n\nThere is a default KMS key for your Amazon Web Services account. Your Amazon\nWeb Services account has a different default KMS key for each Amazon Web\nServices Region.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters","type":"string"},"masterUserSecretKMSKeyRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"masterUsername":{"description":"The name of the master user for the DB cluster.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nConstraints:\n\n  - Must be 1 to 16 letters or numbers.\n\n  - First character must be a letter.\n\n  - Can't be a reserved word for the chosen database engine.","type":"string"},"monitoringInterval":{"description":"The interval, in seconds, between points when Enhanced Monitoring metrics\nare collected for the DB cluster. To turn off collecting Enhanced Monitoring\nmetrics, specify 0.\n\nIf MonitoringRoleArn is specified, also set MonitoringInterval to a value\nother than 0.\n\nValid for Cluster Type: Multi-AZ DB clusters only\n\nValid Values: 0 | 1 | 5 | 10 | 15 | 30 | 60\n\nDefault: 0","type":"integer","format":"int64"},"monitoringRoleARN":{"description":"The Amazon Resource Name (ARN) for the IAM role that permits RDS to send\nEnhanced Monitoring metrics to Amazon CloudWatch Logs. An example is arn:aws:iam:123456789012:role/emaccess.\nFor information on creating a monitoring role, see Setting up and enabling\nEnhanced Monitoring (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html#USER_Monitoring.OS.Enabling)\nin the Amazon RDS User Guide.\n\nIf MonitoringInterval is set to a value other than 0, supply a MonitoringRoleArn\nvalue.\n\nValid for Cluster Type: Multi-AZ DB clusters only","type":"string"},"networkType":{"description":"The network type of the DB cluster.\n\nThe network type is determined by the DBSubnetGroup specified for the DB\ncluster. A DBSubnetGroup can support only the IPv4 protocol or the IPv4 and\nthe IPv6 protocols (DUAL).\n\nFor more information, see Working with a DB instance in a VPC (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html)\nin the Amazon Aurora User Guide.\n\nValid for Cluster Type: Aurora DB clusters only\n\nValid Values: IPV4 | DUAL","type":"string"},"optionGroupName":{"description":"The option group to associate the DB cluster with.\n\nDB clusters are associated with a default option group that can't be modified.","type":"string"},"performanceInsightsKMSKeyID":{"description":"The Amazon Web Services KMS key identifier for encryption of Performance\nInsights data.\n\nThe Amazon Web Services KMS key identifier is the key ARN, key ID, alias\nARN, or alias name for the KMS key.\n\nIf you don't specify a value for PerformanceInsightsKMSKeyId, then Amazon\nRDS uses your default KMS key. There is a default KMS key for your Amazon\nWeb Services account. Your Amazon Web Services account has a different default\nKMS key for each Amazon Web Services Region.\n\nValid for Cluster Type: Multi-AZ DB clusters only","type":"string"},"performanceInsightsRetentionPeriod":{"description":"The number of days to retain Performance Insights data.\n\nValid for Cluster Type: Multi-AZ DB clusters only\n\nValid Values:\n\n  - 7\n\n  - month * 31, where month is a number of months from 1-23. Examples: 93\n    (3 months * 31), 341 (11 months * 31), 589 (19 months * 31)\n\n  - 731\n\nDefault: 7 days\n\nIf you specify a retention period that isn't valid, such as 94, Amazon RDS\nissues an error.","type":"integer","format":"int64"},"port":{"description":"The port number on which the instances in the DB cluster accept connections.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values: 1150-65535\n\nDefault:\n\n  - RDS for MySQL and Aurora MySQL - 3306\n\n  - RDS for PostgreSQL and Aurora PostgreSQL - 5432","type":"integer","format":"int64"},"preSignedURL":{"description":"When you are replicating a DB cluster from one Amazon Web Services GovCloud\n(US) Region to another, an URL that contains a Signature Version 4 signed\nrequest for the CreateDBCluster operation to be called in the source Amazon\nWeb Services Region where the DB cluster is replicated from. Specify PreSignedUrl\nonly when you are performing cross-Region replication from an encrypted DB\ncluster.\n\nThe presigned URL must be a valid request for the CreateDBCluster API operation\nthat can run in the source Amazon Web Services Region that contains the encrypted\nDB cluster to copy.\n\nThe presigned URL request must contain the following parameter values:\n\n  - KmsKeyId - The KMS key identifier for the KMS key to use to encrypt\n    the copy of the DB cluster in the destination Amazon Web Services Region.\n    This should refer to the same KMS key for both the CreateDBCluster operation\n    that is called in the destination Amazon Web Services Region, and the\n    operation contained in the presigned URL.\n\n  - DestinationRegion - The name of the Amazon Web Services Region that\n    Aurora read replica will be created in.\n\n  - ReplicationSourceIdentifier - The DB cluster identifier for the encrypted\n    DB cluster to be copied. This identifier must be in the Amazon Resource\n    Name (ARN) format for the source Amazon Web Services Region. For example,\n    if you are copying an encrypted DB cluster from the us-west-2 Amazon Web\n    Services Region, then your ReplicationSourceIdentifier would look like\n    Example: arn:aws:rds:us-west-2:123456789012:cluster:aurora-cluster1.\n\nTo learn how to generate a Signature Version 4 signed request, see Authenticating\nRequests: Using Query Parameters (Amazon Web Services Signature Version 4)\n(https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html)\nand Signature Version 4 Signing Process (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html).\n\nIf you are using an Amazon Web Services SDK tool or the CLI, you can specify\nSourceRegion (or --source-region for the CLI) instead of specifying PreSignedUrl\nmanually. Specifying SourceRegion autogenerates a presigned URL that is a\nvalid request for the operation that can run in the source Amazon Web Services\nRegion.\n\nValid for Cluster Type: Aurora DB clusters only","type":"string"},"preferredBackupWindow":{"description":"The daily time range during which automated backups are created if automated\nbackups are enabled using the BackupRetentionPeriod parameter.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nThe default is a 30-minute window selected at random from an 8-hour block\nof time for each Amazon Web Services Region. To view the time blocks available,\nsee Backup window (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html#Aurora.Managing.Backups.BackupWindow)\nin the Amazon Aurora User Guide.\n\nConstraints:\n\n  - Must be in the format hh24:mi-hh24:mi.\n\n  - Must be in Universal Coordinated Time (UTC).\n\n  - Must not conflict with the preferred maintenance window.\n\n  - Must be at least 30 minutes.","type":"string"},"preferredMaintenanceWindow":{"description":"The weekly time range during which system maintenance can occur.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nThe default is a 30-minute window selected at random from an 8-hour block\nof time for each Amazon Web Services Region, occurring on a random day of\nthe week. To see the time blocks available, see Adjusting the Preferred DB\nCluster Maintenance Window (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_UpgradeDBInstance.Maintenance.html#AdjustingTheMaintenanceWindow.Aurora)\nin the Amazon Aurora User Guide.\n\nConstraints:\n\n  - Must be in the format ddd:hh24:mi-ddd:hh24:mi.\n\n  - Days must be one of Mon | Tue | Wed | Thu | Fri | Sat | Sun.\n\n  - Must be in Universal Coordinated Time (UTC).\n\n  - Must be at least 30 minutes.","type":"string"},"publiclyAccessible":{"description":"Specifies whether the DB cluster is publicly accessible.\n\nWhen the DB cluster is publicly accessible and you connect from outside of\nthe DB cluster's virtual private cloud (VPC), its Domain Name System (DNS)\nendpoint resolves to the public IP address. When you connect from within\nthe same VPC as the DB cluster, the endpoint resolves to the private IP address.\nAccess to the DB cluster is ultimately controlled by the security group it\nuses. That public access isn't permitted if the security group assigned to\nthe DB cluster doesn't permit it.\n\nWhen the DB cluster isn't publicly accessible, it is an internal DB cluster\nwith a DNS name that resolves to a private IP address.\n\nValid for Cluster Type: Multi-AZ DB clusters only\n\nDefault: The default behavior varies depending on whether DBSubnetGroupName\nis specified.\n\nIf DBSubnetGroupName isn't specified, and PubliclyAccessible isn't specified,\nthe following applies:\n\n  - If the default VPC in the target Region doesn’t have an internet gateway\n    attached to it, the DB cluster is private.\n\n  - If the default VPC in the target Region has an internet gateway attached\n    to it, the DB cluster is public.\n\nIf DBSubnetGroupName is specified, and PubliclyAccessible isn't specified,\nthe following applies:\n\n  - If the subnets are part of a VPC that doesn’t have an internet gateway\n    attached to it, the DB cluster is private.\n\n  - If the subnets are part of a VPC that has an internet gateway attached\n    to it, the DB cluster is public.","type":"boolean"},"replicationSourceIdentifier":{"description":"The Amazon Resource Name (ARN) of the source DB instance or DB cluster if\nthis DB cluster is created as a read replica.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters","type":"string"},"restoreToTime":{"description":"The date and time to restore the DB cluster to.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n  - Must be before the latest restorable time for the DB instance\n\n  - Must be specified if UseLatestRestorableTime parameter isn't provided\n\n  - Can't be specified if the UseLatestRestorableTime parameter is enabled\n\n  - Can't be specified if the RestoreType parameter is copy-on-write\n\nExample: 2015-03-07T23:45:00Z\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters","type":"string","format":"date-time"},"restoreType":{"description":"The type of restore to be performed. You can specify one of the following\nvalues:\n\n  - full-copy - The new DB cluster is restored as a full copy of the source\n    DB cluster.\n\n  - copy-on-write - The new DB cluster is restored as a clone of the source\n    DB cluster.\n\nIf you don't specify a RestoreType value, then the new DB cluster is restored\nas a full copy of the source DB cluster.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters","type":"string"},"scalingConfiguration":{"description":"For DB clusters in serverless DB engine mode, the scaling properties of the\nDB cluster.\n\nValid for Cluster Type: Aurora DB clusters only","type":"object","properties":{"autoPause":{"type":"boolean"},"maxCapacity":{"type":"integer","format":"int64"},"minCapacity":{"type":"integer","format":"int64"},"secondsBeforeTimeout":{"type":"integer","format":"int64"},"secondsUntilAutoPause":{"type":"integer","format":"int64"},"timeoutAction":{"type":"string"}}},"serverlessV2ScalingConfiguration":{"description":"Contains the scaling configuration of an Aurora Serverless v2 DB cluster.\n\nFor more information, see Using Amazon Aurora Serverless v2 (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.html)\nin the Amazon Aurora User Guide.","type":"object","properties":{"maxCapacity":{"type":"number"},"minCapacity":{"type":"number"},"secondsUntilAutoPause":{"type":"integer","format":"int64"}}},"snapshotIdentifier":{"description":"The identifier for the DB snapshot or DB cluster snapshot to restore from.\n\nYou can use either the name or the Amazon Resource Name (ARN) to specify\na DB cluster snapshot. However, you can use only the ARN to specify a DB\nsnapshot.\n\nConstraints:\n\n  - Must match the identifier of an existing Snapshot.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters","type":"string"},"sourceDBClusterIdentifier":{"description":"The identifier of the source DB cluster from which to restore.\n\nConstraints:\n\n  - Must match the identifier of an existing DBCluster.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters","type":"string"},"sourceRegion":{"description":"SourceRegion is the source region where the resource exists. This is not\nsent over the wire and is only used for presigning. This value should always\nhave the same region as the source ARN.","type":"string"},"storageEncrypted":{"description":"Specifies whether the DB cluster is encrypted.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters","type":"boolean"},"storageType":{"description":"The storage type to associate with the DB cluster.\n\nFor information on storage types for Aurora DB clusters, see Storage configurations\nfor Amazon Aurora DB clusters (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type).\nFor information on storage types for Multi-AZ DB clusters, see Settings for\ncreating Multi-AZ DB clusters (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings).\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nWhen specified for a Multi-AZ DB cluster, a value for the Iops parameter\nis required.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values:\n\n  - Aurora DB clusters - aurora | aurora-iopt1\n\n  - Multi-AZ DB clusters - io1 | io2 | gp3\n\nDefault:\n\n  - Aurora DB clusters - aurora\n\n  - Multi-AZ DB clusters - io1\n\nWhen you create an Aurora DB cluster with the storage type set to aurora-iopt1,\nthe storage type is returned in the response. The storage type isn't returned\nwhen you set it to aurora.","type":"string"},"tags":{"description":"Tags to assign to the DB cluster.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters","type":"array","items":{"description":"Metadata assigned to an Amazon RDS resource consisting of a key-value pair.\n\nFor more information, see Tagging Amazon RDS resources (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html)\nin the Amazon RDS User Guide or Tagging Amazon Aurora and Amazon RDS resources\n(https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html)\nin the Amazon Aurora User Guide.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"useLatestRestorableTime":{"description":"Specifies whether to restore the DB cluster to the latest restorable backup\ntime. By default, the DB cluster isn't restored to the latest restorable\nbackup time.\n\nConstraints: Can't be specified if RestoreToTime parameter is provided.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters","type":"boolean"},"vpcSecurityGroupIDs":{"description":"A list of EC2 VPC security groups to associate with this DB cluster.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters","type":"array","items":{"type":"string"}},"vpcSecurityGroupRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}}},"status":{"description":"DBClusterStatus defines the observed state of DBCluster","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"activityStreamKMSKeyID":{"description":"The Amazon Web Services KMS key identifier used for encrypting messages in\nthe database activity stream.\n\nThe Amazon Web Services KMS key identifier is the key ARN, key ID, alias\nARN, or alias name for the KMS key.","type":"string"},"activityStreamKinesisStreamName":{"description":"The name of the Amazon Kinesis data stream used for the database activity\nstream.","type":"string"},"activityStreamMode":{"description":"The mode of the database activity stream. Database events such as a change\nor access generate an activity stream event. The database session can handle\nthese events either synchronously or asynchronously.","type":"string"},"activityStreamStatus":{"description":"The status of the database activity stream.","type":"string"},"associatedRoles":{"description":"A list of the Amazon Web Services Identity and Access Management (IAM) roles\nthat are associated with the DB cluster. IAM roles that are associated with\na DB cluster grant permission for the DB cluster to access other Amazon Web\nServices on your behalf.","type":"array","items":{"description":"Describes an Amazon Web Services Identity and Access Management (IAM) role\nthat is associated with a DB cluster.","type":"object","properties":{"featureName":{"type":"string"},"roleARN":{"type":"string"},"status":{"type":"string"}}}},"automaticRestartTime":{"description":"The time when a stopped DB cluster is restarted automatically.","type":"string","format":"date-time"},"backtrackConsumedChangeRecords":{"description":"The number of change records stored for Backtrack.","type":"integer","format":"int64"},"capacity":{"description":"The current capacity of an Aurora Serverless v1 DB cluster. The capacity\nis 0 (zero) when the cluster is paused.\n\nFor more information about Aurora Serverless v1, see Using Amazon Aurora\nServerless v1 (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html)\nin the Amazon Aurora User Guide.","type":"integer","format":"int64"},"cloneGroupID":{"description":"The ID of the clone group with which the DB cluster is associated.","type":"string"},"clusterCreateTime":{"description":"The time when the DB cluster was created, in Universal Coordinated Time (UTC).","type":"string","format":"date-time"},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"crossAccountClone":{"description":"Indicates whether the DB cluster is a clone of a DB cluster owned by a different\nAmazon Web Services account.","type":"boolean"},"customEndpoints":{"description":"The custom endpoints associated with the DB cluster.","type":"array","items":{"type":"string"}},"dbClusterMembers":{"description":"The list of DB instances that make up the DB cluster.","type":"array","items":{"description":"Contains information about an instance that is part of a DB cluster.","type":"object","properties":{"dbClusterParameterGroupStatus":{"type":"string"},"dbInstanceIdentifier":{"type":"string"},"isClusterWriter":{"type":"boolean"},"promotionTier":{"type":"integer","format":"int64"}}}},"dbClusterOptionGroupMemberships":{"description":"The list of option group memberships for this DB cluster.","type":"array","items":{"description":"Contains status information for a DB cluster option group.","type":"object","properties":{"dbClusterOptionGroupName":{"type":"string"},"status":{"type":"string"}}}},"dbClusterParameterGroup":{"description":"The name of the DB cluster parameter group for the DB cluster.","type":"string"},"dbClusterResourceID":{"description":"The Amazon Web Services Region-unique, immutable identifier for the DB cluster.\nThis identifier is found in Amazon Web Services CloudTrail log entries whenever\nthe KMS key for the DB cluster is accessed.","type":"string"},"dbSubnetGroup":{"description":"Information about the subnet group associated with the DB cluster, including\nthe name, description, and subnets in the subnet group.","type":"string"},"domainMemberships":{"description":"The Active Directory Domain membership records associated with the DB cluster.","type":"array","items":{"description":"An Active Directory Domain membership record associated with the DB instance\nor cluster.","type":"object","properties":{"domain":{"type":"string"},"fQDN":{"type":"string"},"iamRoleName":{"type":"string"},"status":{"type":"string"}}}},"earliestBacktrackTime":{"description":"The earliest time to which a DB cluster can be backtracked.","type":"string","format":"date-time"},"earliestRestorableTime":{"description":"The earliest time to which a database can be restored with point-in-time\nrestore.","type":"string","format":"date-time"},"enabledCloudwatchLogsExports":{"description":"A list of log types that this DB cluster is configured to export to CloudWatch\nLogs.\n\nLog types vary by DB engine. For information about the log types for each\nDB engine, see Amazon RDS Database Log Files (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.html)\nin the Amazon Aurora User Guide.","type":"array","items":{"type":"string"}},"endpoint":{"description":"The connection endpoint for the primary instance of the DB cluster.","type":"string"},"globalWriteForwardingRequested":{"description":"Indicates whether write forwarding is enabled for a secondary cluster in\nan Aurora global database. Because write forwarding takes time to enable,\ncheck the value of GlobalWriteForwardingStatus to confirm that the request\nhas completed before using the write forwarding feature for this cluster.","type":"boolean"},"globalWriteForwardingStatus":{"description":"The status of write forwarding for a secondary cluster in an Aurora global\ndatabase.","type":"string"},"hostedZoneID":{"description":"The ID that Amazon Route 53 assigns when you create a hosted zone.","type":"string"},"httpEndpointEnabled":{"description":"Indicates whether the HTTP endpoint is enabled for an Aurora DB cluster.\n\nWhen enabled, the HTTP endpoint provides a connectionless web service API\n(RDS Data API) for running SQL queries on the DB cluster. You can also query\nyour database from inside the RDS console with the RDS query editor.\n\nFor more information, see Using RDS Data API (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html)\nin the Amazon Aurora User Guide.","type":"boolean"},"iamDatabaseAuthenticationEnabled":{"description":"Indicates whether the mapping of Amazon Web Services Identity and Access\nManagement (IAM) accounts to database accounts is enabled.","type":"boolean"},"latestRestorableTime":{"description":"The latest time to which a database can be restored with point-in-time restore.","type":"string","format":"date-time"},"masterUserSecret":{"description":"The secret managed by RDS in Amazon Web Services Secrets Manager for the\nmaster user password.\n\nFor more information, see Password management with Amazon Web Services Secrets\nManager (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html)\nin the Amazon RDS User Guide and Password management with Amazon Web Services\nSecrets Manager (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html)\nin the Amazon Aurora User Guide.","type":"object","properties":{"kmsKeyID":{"type":"string"},"secretARN":{"type":"string"},"secretStatus":{"type":"string"}}},"multiAZ":{"description":"Indicates whether the DB cluster has instances in multiple Availability Zones.","type":"boolean"},"pendingModifiedValues":{"description":"Information about pending changes to the DB cluster. This information is\nreturned only when there are pending changes. Specific changes are identified\nby subelements.","type":"object","properties":{"allocatedStorage":{"type":"integer","format":"int64"},"backupRetentionPeriod":{"type":"integer","format":"int64"},"dbClusterIdentifier":{"type":"string"},"engineVersion":{"type":"string"},"iamDatabaseAuthenticationEnabled":{"type":"boolean"},"iops":{"type":"integer","format":"int64"},"masterUserPassword":{"type":"string"},"pendingCloudwatchLogsExports":{"description":"A list of the log types whose configuration is still pending. In other words,\nthese log types are in the process of being activated or deactivated.","type":"object","properties":{"logTypesToDisable":{"type":"array","items":{"type":"string"}},"logTypesToEnable":{"type":"array","items":{"type":"string"}}}}}},"percentProgress":{"description":"The progress of the operation as a percentage.","type":"string"},"performanceInsightsEnabled":{"description":"Indicates whether Performance Insights is enabled for the DB cluster.\n\nThis setting is only for non-Aurora Multi-AZ DB clusters.","type":"boolean"},"readReplicaIdentifiers":{"description":"Contains one or more identifiers of the read replicas associated with this\nDB cluster.","type":"array","items":{"type":"string"}},"readerEndpoint":{"description":"The reader endpoint for the DB cluster. The reader endpoint for a DB cluster\nload-balances connections across the Aurora Replicas that are available in\na DB cluster. As clients request new connections to the reader endpoint,\nAurora distributes the connection requests among the Aurora Replicas in the\nDB cluster. This functionality can help balance your read workload across\nmultiple Aurora Replicas in your DB cluster.\n\nIf a failover occurs, and the Aurora Replica that you are connected to is\npromoted to be the primary instance, your connection is dropped. To continue\nsending your read workload to other Aurora Replicas in the cluster, you can\nthen reconnect to the reader endpoint.","type":"string"},"status":{"description":"The current state of this DB cluster.","type":"string"},"tagList":{"type":"array","items":{"description":"Metadata assigned to an Amazon RDS resource consisting of a key-value pair.\n\nFor more information, see Tagging Amazon RDS resources (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html)\nin the Amazon RDS User Guide or Tagging Amazon Aurora and Amazon RDS resources\n(https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html)\nin the Amazon Aurora User Guide.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"vpcSecurityGroups":{"description":"The list of VPC security groups that the DB cluster belongs to.","type":"array","items":{"description":"This data type is used as a response element for queries on VPC security\ngroup membership.","type":"object","properties":{"status":{"type":"string"},"vpcSecurityGroupID":{"type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBCluster","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBCluster"},"aws.k8s.services.rds.v1alpha1.DBClusterEndpoint":{"description":"DBClusterEndpoint is the Schema for the DBClusterEndpoints API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DBClusterEndpointSpec defines the desired state of DBClusterEndpoint.\n\nThis data type represents the information you need to connect to an Amazon\nAurora DB cluster. This data type is used as a response element in the following\nactions:\n\n  - CreateDBClusterEndpoint\n\n  - DescribeDBClusterEndpoints\n\n  - ModifyDBClusterEndpoint\n\n  - DeleteDBClusterEndpoint\n\nFor the data structure that represents Amazon RDS DB instance endpoints,\nsee Endpoint.","type":"object","required":["dbClusterEndpointIdentifier"],"properties":{"dbClusterEndpointIdentifier":{"description":"The identifier to use for the new endpoint. This parameter is stored as a\nlowercase string.","type":"string"},"dbClusterIdentifier":{"description":"The DB cluster identifier of the DB cluster associated with the endpoint.\nThis parameter is stored as a lowercase string.","type":"string"},"dbClusterIdentifierRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"endpointType":{"description":"The type of the endpoint, one of: READER, WRITER, ANY.","type":"string"},"excludedMembers":{"description":"List of DB instance identifiers that aren't part of the custom endpoint group.\nAll other eligible instances are reachable through the custom endpoint. This\nparameter is relevant only if the list of static members is empty.","type":"array","items":{"type":"string"}},"staticMembers":{"description":"List of DB instance identifiers that are part of the custom endpoint group.","type":"array","items":{"type":"string"}},"tags":{"description":"The tags to be assigned to the Amazon RDS resource.","type":"array","items":{"description":"Metadata assigned to an Amazon RDS resource consisting of a key-value pair.\n\nFor more information, see Tagging Amazon RDS resources (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html)\nin the Amazon RDS User Guide or Tagging Amazon Aurora and Amazon RDS resources\n(https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html)\nin the Amazon Aurora User Guide.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"DBClusterEndpointStatus defines the observed state of DBClusterEndpoint","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"dbClusterEndpointResourceIdentifier":{"description":"A unique system-generated identifier for an endpoint. It remains the same\nfor the whole life of the endpoint.","type":"string"},"endpoint":{"description":"The DNS address of the endpoint.","type":"string"},"status":{"description":"The current status of the endpoint. One of: creating, available, deleting,\ninactive, modifying. The inactive state applies to an endpoint that can't\nbe used for a certain kind of cluster, such as a writer endpoint for a read-only\nsecondary cluster in a global database.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBClusterEndpoint","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBClusterEndpoint"},"aws.k8s.services.rds.v1alpha1.DBClusterEndpointList":{"description":"DBClusterEndpointList is a list of DBClusterEndpoint","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbclusterendpoints. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.rds.v1alpha1.DBClusterEndpoint"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBClusterEndpointList","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBClusterEndpointList"},"aws.k8s.services.rds.v1alpha1.DBClusterList":{"description":"DBClusterList is a list of DBCluster","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbclusters. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.rds.v1alpha1.DBCluster"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBClusterList","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBClusterList"},"aws.k8s.services.rds.v1alpha1.DBClusterParameterGroup":{"description":"DBClusterParameterGroup is the Schema for the DBClusterParameterGroups API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DBClusterParameterGroupSpec defines the desired state of DBClusterParameterGroup.\n\nContains the details of an Amazon RDS DB cluster parameter group.\n\nThis data type is used as a response element in the DescribeDBClusterParameterGroups\naction.","type":"object","required":["description","family","name"],"properties":{"description":{"description":"The description for the DB cluster parameter group.","type":"string"},"family":{"description":"The DB cluster parameter group family name. A DB cluster parameter group\ncan be associated with one and only one DB cluster parameter group family,\nand can be applied only to a DB cluster running a database engine and engine\nversion compatible with that DB cluster parameter group family.\n\n# Aurora MySQL\n\nExample: aurora-mysql5.7, aurora-mysql8.0\n\n# Aurora PostgreSQL\n\nExample: aurora-postgresql14\n\n# RDS for MySQL\n\nExample: mysql8.0\n\n# RDS for PostgreSQL\n\nExample: postgres13\n\nTo list all of the available parameter group families for a DB engine, use\nthe following command:\n\naws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\"\n--engine\n\nFor example, to list all of the available parameter group families for the\nAurora PostgreSQL DB engine, use the following command:\n\naws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\"\n--engine aurora-postgresql\n\nThe output contains duplicates.\n\nThe following are the valid DB engine values:\n\n  - aurora-mysql\n\n  - aurora-postgresql\n\n  - mysql\n\n  - postgres","type":"string"},"name":{"description":"The name of the DB cluster parameter group.\n\nConstraints:\n\n  - Must not match the name of an existing DB cluster parameter group.\n\nThis value is stored as a lowercase string.","type":"string"},"parameterOverrides":{"description":"Map keys are the parameter name and the values are the parameter value.\n\nThe \"apply method\" for parameters is automatically determined.\n\nThese are ONLY user-defined parameter overrides for the DB cluster parameter group.\n\nThis does not contain default or system parameters.","type":"object","additionalProperties":{"type":"string"}},"parameters":{"description":"DEPRECATED - do not use.  Prefer ParameterOverrides instead.","type":"array","items":{"description":"This data type is used as a request parameter in the ModifyDBParameterGroup\nand ResetDBParameterGroup actions.\n\nThis data type is used as a response element in the DescribeEngineDefaultParameters\nand DescribeDBParameters actions.","type":"object","properties":{"allowedValues":{"type":"string"},"applyMethod":{"type":"string"},"applyType":{"type":"string"},"dataType":{"type":"string"},"description":{"type":"string"},"isModifiable":{"type":"boolean"},"minimumEngineVersion":{"type":"string"},"parameterName":{"type":"string"},"parameterValue":{"type":"string"},"source":{"type":"string"},"supportedEngineModes":{"type":"array","items":{"type":"string"}}}}},"tags":{"description":"Tags to assign to the DB cluster parameter group.","type":"array","items":{"description":"Metadata assigned to an Amazon RDS resource consisting of a key-value pair.\n\nFor more information, see Tagging Amazon RDS resources (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html)\nin the Amazon RDS User Guide or Tagging Amazon Aurora and Amazon RDS resources\n(https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html)\nin the Amazon Aurora User Guide.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"DBClusterParameterGroupStatus defines the observed state of DBClusterParameterGroup","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"parameterOverrideStatuses":{"description":"Provides a list of parameters for the DB cluster parameter group.","type":"array","items":{"description":"This data type is used as a request parameter in the ModifyDBParameterGroup\nand ResetDBParameterGroup actions.\n\nThis data type is used as a response element in the DescribeEngineDefaultParameters\nand DescribeDBParameters actions.","type":"object","properties":{"allowedValues":{"type":"string"},"applyMethod":{"type":"string"},"applyType":{"type":"string"},"dataType":{"type":"string"},"description":{"type":"string"},"isModifiable":{"type":"boolean"},"minimumEngineVersion":{"type":"string"},"parameterName":{"type":"string"},"parameterValue":{"type":"string"},"source":{"type":"string"},"supportedEngineModes":{"type":"array","items":{"type":"string"}}}}}}}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBClusterParameterGroup","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBClusterParameterGroup"},"aws.k8s.services.rds.v1alpha1.DBClusterParameterGroupList":{"description":"DBClusterParameterGroupList is a list of DBClusterParameterGroup","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbclusterparametergroups. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.rds.v1alpha1.DBClusterParameterGroup"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBClusterParameterGroupList","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBClusterParameterGroupList"},"aws.k8s.services.rds.v1alpha1.DBClusterSnapshot":{"description":"DBClusterSnapshot is the Schema for the DBClusterSnapshots API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DBClusterSnapshotSpec defines the desired state of DBClusterSnapshot.\n\n# Contains the details for an Amazon RDS DB cluster snapshot\n\nThis data type is used as a response element in the DescribeDBClusterSnapshots\naction.","type":"object","required":["dbClusterSnapshotIdentifier"],"properties":{"dbClusterIdentifier":{"description":"The identifier of the DB cluster to create a snapshot for. This parameter\nisn't case-sensitive.\n\nConstraints:\n\n  - Must match the identifier of an existing DBCluster.\n\nExample: my-cluster1","type":"string"},"dbClusterIdentifierRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"dbClusterSnapshotIdentifier":{"description":"The identifier of the DB cluster snapshot. This parameter is stored as a\nlowercase string.\n\nConstraints:\n\n  - Must contain from 1 to 63 letters, numbers, or hyphens.\n\n  - First character must be a letter.\n\n  - Can't end with a hyphen or contain two consecutive hyphens.\n\nExample: my-cluster1-snapshot1","type":"string"},"tags":{"description":"The tags to be assigned to the DB cluster snapshot.","type":"array","items":{"description":"Metadata assigned to an Amazon RDS resource consisting of a key-value pair.\n\nFor more information, see Tagging Amazon RDS resources (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html)\nin the Amazon RDS User Guide or Tagging Amazon Aurora and Amazon RDS resources\n(https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html)\nin the Amazon Aurora User Guide.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"DBClusterSnapshotStatus defines the observed state of DBClusterSnapshot","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"allocatedStorage":{"description":"The allocated storage size of the DB cluster snapshot in gibibytes (GiB).","type":"integer","format":"int64"},"availabilityZones":{"description":"The list of Availability Zones (AZs) where instances in the DB cluster snapshot\ncan be restored.","type":"array","items":{"type":"string"}},"clusterCreateTime":{"description":"The time when the DB cluster was created, in Universal Coordinated Time (UTC).","type":"string","format":"date-time"},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"dbSystemID":{"description":"Reserved for future use.","type":"string"},"engine":{"description":"The name of the database engine for this DB cluster snapshot.","type":"string"},"engineMode":{"description":"The engine mode of the database engine for this DB cluster snapshot.","type":"string"},"engineVersion":{"description":"The version of the database engine for this DB cluster snapshot.","type":"string"},"iamDatabaseAuthenticationEnabled":{"description":"Indicates whether mapping of Amazon Web Services Identity and Access Management\n(IAM) accounts to database accounts is enabled.","type":"boolean"},"kmsKeyID":{"description":"If StorageEncrypted is true, the Amazon Web Services KMS key identifier for\nthe encrypted DB cluster snapshot.\n\nThe Amazon Web Services KMS key identifier is the key ARN, key ID, alias\nARN, or alias name for the KMS key.","type":"string"},"licenseModel":{"description":"The license model information for this DB cluster snapshot.","type":"string"},"masterUsername":{"description":"The master username for this DB cluster snapshot.","type":"string"},"percentProgress":{"description":"The percentage of the estimated data that has been transferred.","type":"integer","format":"int64"},"port":{"description":"The port that the DB cluster was listening on at the time of the snapshot.","type":"integer","format":"int64"},"snapshotCreateTime":{"description":"The time when the snapshot was taken, in Universal Coordinated Time (UTC).","type":"string","format":"date-time"},"snapshotType":{"description":"The type of the DB cluster snapshot.","type":"string"},"sourceDBClusterSnapshotARN":{"description":"If the DB cluster snapshot was copied from a source DB cluster snapshot,\nthe Amazon Resource Name (ARN) for the source DB cluster snapshot, otherwise,\na null value.","type":"string"},"status":{"description":"The status of this DB cluster snapshot. Valid statuses are the following:\n\n   * available\n\n   * copying\n\n   * creating","type":"string"},"storageEncrypted":{"description":"Indicates whether the DB cluster snapshot is encrypted.","type":"boolean"},"tagList":{"type":"array","items":{"description":"Metadata assigned to an Amazon RDS resource consisting of a key-value pair.\n\nFor more information, see Tagging Amazon RDS resources (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html)\nin the Amazon RDS User Guide or Tagging Amazon Aurora and Amazon RDS resources\n(https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html)\nin the Amazon Aurora User Guide.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"vpcID":{"description":"The VPC ID associated with the DB cluster snapshot.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBClusterSnapshot","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBClusterSnapshot"},"aws.k8s.services.rds.v1alpha1.DBClusterSnapshotList":{"description":"DBClusterSnapshotList is a list of DBClusterSnapshot","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbclustersnapshots. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.rds.v1alpha1.DBClusterSnapshot"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBClusterSnapshotList","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBClusterSnapshotList"},"aws.k8s.services.rds.v1alpha1.DBInstance":{"description":"DBInstance is the Schema for the DBInstances API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DBInstanceSpec defines the desired state of DBInstance.\n\nContains the details of an Amazon RDS DB instance.\n\nThis data type is used as a response element in the operations CreateDBInstance,\nCreateDBInstanceReadReplica, DeleteDBInstance, DescribeDBInstances, ModifyDBInstance,\nPromoteReadReplica, RebootDBInstance, RestoreDBInstanceFromDBSnapshot, RestoreDBInstanceFromS3,\nRestoreDBInstanceToPointInTime, StartDBInstance, and StopDBInstance.","type":"object","required":["dbInstanceClass","dbInstanceIdentifier","engine"],"properties":{"allocatedStorage":{"description":"The amount of storage in gibibytes (GiB) to allocate for the DB instance.\n\nThis setting doesn't apply to Amazon Aurora DB instances. Aurora cluster\nvolumes automatically grow as the amount of data in your database increases,\nthough you are only charged for the space that you use in an Aurora cluster\nvolume.\n\n# Amazon RDS Custom\n\nConstraints to the amount of storage for each storage type are the following:\n\n  - General Purpose (SSD) storage (gp2, gp3): Must be an integer from 40\n    to 65536 for RDS Custom for Oracle, 16384 for RDS Custom for SQL Server.\n\n  - Provisioned IOPS storage (io1, io2): Must be an integer from 40 to 65536\n    for RDS Custom for Oracle, 16384 for RDS Custom for SQL Server.\n\n# RDS for Db2\n\nConstraints to the amount of storage for each storage type are the following:\n\n  - General Purpose (SSD) storage (gp3): Must be an integer from 20 to 65536.\n\n  - Provisioned IOPS storage (io1, io2): Must be an integer from 100 to\n    65536.\n\n# RDS for MariaDB\n\nConstraints to the amount of storage for each storage type are the following:\n\n  - General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20\n    to 65536.\n\n  - Provisioned IOPS storage (io1, io2): Must be an integer from 100 to\n    65536.\n\n  - Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n# RDS for MySQL\n\nConstraints to the amount of storage for each storage type are the following:\n\n  - General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20\n    to 65536.\n\n  - Provisioned IOPS storage (io1, io2): Must be an integer from 100 to\n    65536.\n\n  - Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n# RDS for Oracle\n\nConstraints to the amount of storage for each storage type are the following:\n\n  - General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20\n    to 65536.\n\n  - Provisioned IOPS storage (io1, io2): Must be an integer from 100 to\n    65536.\n\n  - Magnetic storage (standard): Must be an integer from 10 to 3072.\n\n# RDS for PostgreSQL\n\nConstraints to the amount of storage for each storage type are the following:\n\n  - General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20\n    to 65536.\n\n  - Provisioned IOPS storage (io1, io2): Must be an integer from 100 to\n    65536.\n\n  - Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n# RDS for SQL Server\n\nConstraints to the amount of storage for each storage type are the following:\n\n  - General Purpose (SSD) storage (gp2, gp3): Enterprise and Standard editions:\n    Must be an integer from 20 to 16384. Web and Express editions: Must be\n    an integer from 20 to 16384.\n\n  - Provisioned IOPS storage (io1, io2): Enterprise and Standard editions:\n    Must be an integer from 100 to 16384. Web and Express editions: Must be\n    an integer from 100 to 16384.\n\n  - Magnetic storage (standard): Enterprise and Standard editions: Must\n    be an integer from 20 to 1024. Web and Express editions: Must be an integer\n    from 20 to 1024.","type":"integer","format":"int64"},"autoMinorVersionUpgrade":{"description":"Specifies whether minor engine upgrades are applied automatically to the\nDB instance during the maintenance window. By default, minor engine upgrades\nare applied automatically.\n\nIf you create an RDS Custom DB instance, you must set AutoMinorVersionUpgrade\nto false.","type":"boolean"},"availabilityZone":{"description":"The Availability Zone (AZ) where the database will be created. For information\non Amazon Web Services Regions and Availability Zones, see Regions and Availability\nZones (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html).\n\nFor Amazon Aurora, each Aurora DB cluster hosts copies of its storage in\nthree separate Availability Zones. Specify one of these Availability Zones.\nAurora automatically chooses an appropriate Availability Zone if you don't\nspecify one.\n\nDefault: A random, system-chosen Availability Zone in the endpoint's Amazon\nWeb Services Region.\n\nConstraints:\n\n  - The AvailabilityZone parameter can't be specified if the DB instance\n    is a Multi-AZ deployment.\n\n  - The specified Availability Zone must be in the same Amazon Web Services\n    Region as the current endpoint.\n\nExample: us-east-1d","type":"string","x-kubernetes-validations":[{"message":"Value is immutable once set","rule":"self == oldSelf"}]},"backupRetentionPeriod":{"description":"The number of days for which automated backups are retained. Setting this\nparameter to a positive number enables backups. Setting this parameter to\n0 disables automated backups.\n\nThis setting doesn't apply to Amazon Aurora DB instances. The retention period\nfor automated backups is managed by the DB cluster.\n\nDefault: 1\n\nConstraints:\n\n  - Must be a value from 0 to 35.\n\n  - Can't be set to 0 if the DB instance is a source to read replicas.\n\n  - Can't be set to 0 for an RDS Custom for Oracle DB instance.","type":"integer","format":"int64"},"backupTarget":{"description":"The location for storing automated backups and manual snapshots.\n\nValid Values:\n\n  - outposts (Amazon Web Services Outposts)\n\n  - region (Amazon Web Services Region)\n\nDefault: region\n\nFor more information, see Working with Amazon RDS on Amazon Web Services\nOutposts (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-on-outposts.html)\nin the Amazon RDS User Guide.","type":"string"},"caCertificateIdentifier":{"description":"The CA certificate identifier to use for the DB instance's server certificate.\n\nThis setting doesn't apply to RDS Custom DB instances.\n\nFor more information, see Using SSL/TLS to encrypt a connection to a DB instance\n(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)\nin the Amazon RDS User Guide and Using SSL/TLS to encrypt a connection to\na DB cluster (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html)\nin the Amazon Aurora User Guide.","type":"string"},"characterSetName":{"description":"For supported engines, the character set (CharacterSet) to associate the\nDB instance with.\n\nThis setting doesn't apply to the following DB instances:\n\n  - Amazon Aurora - The character set is managed by the DB cluster. For\n    more information, see CreateDBCluster.\n\n  - RDS Custom - However, if you need to change the character set, you can\n    change it on the database itself.","type":"string"},"copyTagsToSnapshot":{"description":"Specifies whether to copy tags from the DB instance to snapshots of the DB\ninstance. By default, tags are not copied.\n\nThis setting doesn't apply to Amazon Aurora DB instances. Copying tags to\nsnapshots is managed by the DB cluster. Setting this value for an Aurora\nDB instance has no effect on the DB cluster setting.","type":"boolean"},"customIAMInstanceProfile":{"description":"The instance profile associated with the underlying Amazon EC2 instance of\nan RDS Custom DB instance.\n\nThis setting is required for RDS Custom.\n\nConstraints:\n\n  - The profile must exist in your account.\n\n  - The profile must have an IAM role that Amazon EC2 has permissions to\n    assume.\n\n  - The instance profile name and the associated IAM role name must start\n    with the prefix AWSRDSCustom.\n\nFor the list of permissions required for the IAM role, see Configure IAM\nand your VPC (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-setup-orcl.html#custom-setup-orcl.iam-vpc)\nin the Amazon RDS User Guide.","type":"string"},"databaseInsightsMode":{"description":"Specifies the mode of Database Insights to enable for the instance.","type":"string"},"dbClusterIdentifier":{"description":"The identifier of the DB cluster that this DB instance will belong to.\n\nThis setting doesn't apply to RDS Custom DB instances.","type":"string"},"dbClusterSnapshotIdentifier":{"description":"The identifier for the Multi-AZ DB cluster snapshot to restore from.\n\nFor more information on Multi-AZ DB clusters, see Multi-AZ DB cluster deployments\n(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/multi-az-db-clusters-concepts.html)\nin the Amazon RDS User Guide.\n\nConstraints:\n\n  - Must match the identifier of an existing Multi-AZ DB cluster snapshot.\n\n  - Can't be specified when DBSnapshotIdentifier is specified.\n\n  - Must be specified when DBSnapshotIdentifier isn't specified.\n\n  - If you are restoring from a shared manual Multi-AZ DB cluster snapshot,\n    the DBClusterSnapshotIdentifier must be the ARN of the shared snapshot.\n\n  - Can't be the identifier of an Aurora DB cluster snapshot.","type":"string"},"dbInstanceClass":{"description":"The compute and memory capacity of the DB instance, for example db.m5.large.\nNot all DB instance classes are available in all Amazon Web Services Regions,\nor for all database engines. For the full list of DB instance classes, and\navailability for your engine, see DB instance classes (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html)\nin the Amazon RDS User Guide or Aurora DB instance classes (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.DBInstanceClass.html)\nin the Amazon Aurora User Guide.","type":"string"},"dbInstanceIdentifier":{"description":"The identifier for this DB instance. This parameter is stored as a lowercase\nstring.\n\nConstraints:\n\n  - Must contain from 1 to 63 letters, numbers, or hyphens.\n\n  - First character must be a letter.\n\n  - Can't end with a hyphen or contain two consecutive hyphens.\n\nExample: mydbinstance","type":"string"},"dbName":{"description":"The meaning of this parameter differs according to the database engine you\nuse.\n\n# Amazon Aurora MySQL\n\nThe name of the database to create when the primary DB instance of the Aurora\nMySQL DB cluster is created. If this parameter isn't specified for an Aurora\nMySQL DB cluster, no database is created in the DB cluster.\n\nConstraints:\n\n  - Must contain 1 to 64 alphanumeric characters.\n\n  - Must begin with a letter. Subsequent characters can be letters, underscores,\n    or digits (0-9).\n\n  - Can't be a word reserved by the database engine.\n\n# Amazon Aurora PostgreSQL\n\nThe name of the database to create when the primary DB instance of the Aurora\nPostgreSQL DB cluster is created. A database named postgres is always created.\nIf this parameter is specified, an additional database with this name is\ncreated.\n\nConstraints:\n\n  - It must contain 1 to 63 alphanumeric characters.\n\n  - Must begin with a letter. Subsequent characters can be letters, underscores,\n    or digits (0 to 9).\n\n  - Can't be a word reserved by the database engine.\n\n# Amazon RDS Custom for Oracle\n\nThe Oracle System ID (SID) of the created RDS Custom DB instance. If you\ndon't specify a value, the default value is ORCL for non-CDBs and RDSCDB\nfor CDBs.\n\nDefault: ORCL\n\nConstraints:\n\n  - Must contain 1 to 8 alphanumeric characters.\n\n  - Must contain a letter.\n\n  - Can't be a word reserved by the database engine.\n\n# Amazon RDS Custom for SQL Server\n\nNot applicable. Must be null.\n\n# RDS for Db2\n\nThe name of the database to create when the DB instance is created. If this\nparameter isn't specified, no database is created in the DB instance. In\nsome cases, we recommend that you don't add a database name. For more information,\nsee Additional considerations (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-db-instance-prereqs.html#db2-prereqs-additional-considerations)\nin the Amazon RDS User Guide.\n\nConstraints:\n\n  - Must contain 1 to 64 letters or numbers.\n\n  - Must begin with a letter. Subsequent characters can be letters, underscores,\n    or digits (0-9).\n\n  - Can't be a word reserved by the specified database engine.\n\n# RDS for MariaDB\n\nThe name of the database to create when the DB instance is created. If this\nparameter isn't specified, no database is created in the DB instance.\n\nConstraints:\n\n  - Must contain 1 to 64 letters or numbers.\n\n  - Must begin with a letter. Subsequent characters can be letters, underscores,\n    or digits (0-9).\n\n  - Can't be a word reserved by the specified database engine.\n\n# RDS for MySQL\n\nThe name of the database to create when the DB instance is created. If this\nparameter isn't specified, no database is created in the DB instance.\n\nConstraints:\n\n  - Must contain 1 to 64 letters or numbers.\n\n  - Must begin with a letter. Subsequent characters can be letters, underscores,\n    or digits (0-9).\n\n  - Can't be a word reserved by the specified database engine.\n\n# RDS for Oracle\n\nThe Oracle System ID (SID) of the created DB instance. If you don't specify\na value, the default value is ORCL. You can't specify the string null, or\nany other reserved word, for DBName.\n\nDefault: ORCL\n\nConstraints:\n\n  - Can't be longer than 8 characters.\n\n# RDS for PostgreSQL\n\nThe name of the database to create when the DB instance is created. A database\nnamed postgres is always created. If this parameter is specified, an additional\ndatabase with this name is created.\n\nConstraints:\n\n  - Must contain 1 to 63 letters, numbers, or underscores.\n\n  - Must begin with a letter. Subsequent characters can be letters, underscores,\n    or digits (0-9).\n\n  - Can't be a word reserved by the specified database engine.\n\n# RDS for SQL Server\n\nNot applicable. Must be null.","type":"string"},"dbParameterGroupName":{"description":"The name of the DB parameter group to associate with this DB instance. If\nyou don't specify a value, then Amazon RDS uses the default DB parameter\ngroup for the specified DB engine and version.\n\nThis setting doesn't apply to RDS Custom DB instances.\n\nConstraints:\n\n  - Must be 1 to 255 letters, numbers, or hyphens.\n\n  - The first character must be a letter.\n\n  - Can't end with a hyphen or contain two consecutive hyphens.","type":"string"},"dbParameterGroupRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"dbSnapshotIdentifier":{"description":"The identifier for the DB snapshot to restore from.\n\nConstraints:\n\n  - Must match the identifier of an existing DB snapshot.\n\n  - Can't be specified when DBClusterSnapshotIdentifier is specified.\n\n  - Must be specified when DBClusterSnapshotIdentifier isn't specified.\n\n  - If you are restoring from a shared manual DB snapshot, the DBSnapshotIdentifier\n    must be the ARN of the shared DB snapshot.","type":"string"},"dbSubnetGroupName":{"description":"A DB subnet group to associate with this DB instance.\n\nConstraints:\n\n  - Must match the name of an existing DB subnet group.\n\nExample: mydbsubnetgroup","type":"string"},"dbSubnetGroupRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"deletionProtection":{"description":"Specifies whether the DB instance has deletion protection enabled. The database\ncan't be deleted when deletion protection is enabled. By default, deletion\nprotection isn't enabled. For more information, see Deleting a DB Instance\n(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html).\n\nThis setting doesn't apply to Amazon Aurora DB instances. You can enable\nor disable deletion protection for the DB cluster. For more information,\nsee CreateDBCluster. DB instances in a DB cluster can be deleted even when\ndeletion protection is enabled for the DB cluster.","type":"boolean"},"destinationRegion":{"description":"DestinationRegion is used for presigning the request to a given region.","type":"string"},"domain":{"description":"The Active Directory directory ID to create the DB instance in. Currently,\nyou can create only Db2, MySQL, Microsoft SQL Server, Oracle, and PostgreSQL\nDB instances in an Active Directory Domain.\n\nFor more information, see Kerberos Authentication (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html)\nin the Amazon RDS User Guide.\n\nThis setting doesn't apply to the following DB instances:\n\n  - Amazon Aurora (The domain is managed by the DB cluster.)\n\n  - RDS Custom","type":"string"},"domainIAMRoleName":{"description":"The name of the IAM role to use when making API calls to the Directory Service.\n\nThis setting doesn't apply to the following DB instances:\n\n  - Amazon Aurora (The domain is managed by the DB cluster.)\n\n  - RDS Custom","type":"string"},"enableCloudwatchLogsExports":{"description":"The list of log types to enable for exporting to CloudWatch Logs. For more\ninformation, see Publishing Database Logs to Amazon CloudWatch Logs (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch)\nin the Amazon RDS User Guide.\n\nThis setting doesn't apply to the following DB instances:\n\n  - Amazon Aurora (CloudWatch Logs exports are managed by the DB cluster.)\n\n  - RDS Custom\n\nThe following values are valid for each DB engine:\n\n  - RDS for Db2 - diag.log | notify.log\n\n  - RDS for MariaDB - audit | error | general | slowquery\n\n  - RDS for Microsoft SQL Server - agent | error\n\n  - RDS for MySQL - audit | error | general | slowquery\n\n  - RDS for Oracle - alert | audit | listener | trace | oemagent\n\n  - RDS for PostgreSQL - postgresql | upgrade","type":"array","items":{"type":"string"}},"enableCustomerOwnedIP":{"description":"Specifies whether to enable a customer-owned IP address (CoIP) for an RDS\non Outposts DB instance.\n\nA CoIP provides local or external connectivity to resources in your Outpost\nsubnets through your on-premises network. For some use cases, a CoIP can\nprovide lower latency for connections to the DB instance from outside of\nits virtual private cloud (VPC) on your local network.\n\nFor more information about RDS on Outposts, see Working with Amazon RDS on\nAmazon Web Services Outposts (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-on-outposts.html)\nin the Amazon RDS User Guide.\n\nFor more information about CoIPs, see Customer-owned IP addresses (https://docs.aws.amazon.com/outposts/latest/userguide/routing.html#ip-addressing)\nin the Amazon Web Services Outposts User Guide.","type":"boolean"},"enableIAMDatabaseAuthentication":{"description":"Specifies whether to enable mapping of Amazon Web Services Identity and Access\nManagement (IAM) accounts to database accounts. By default, mapping isn't\nenabled.\n\nFor more information, see IAM Database Authentication for MySQL and PostgreSQL\n(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html)\nin the Amazon RDS User Guide.\n\nThis setting doesn't apply to the following DB instances:\n\n  - Amazon Aurora (Mapping Amazon Web Services IAM accounts to database\n    accounts is managed by the DB cluster.)\n\n  - RDS Custom","type":"boolean"},"engine":{"description":"The database engine to use for this DB instance.\n\nNot every database engine is available in every Amazon Web Services Region.\n\nValid Values:\n\n  - aurora-mysql (for Aurora MySQL DB instances)\n\n  - aurora-postgresql (for Aurora PostgreSQL DB instances)\n\n  - custom-oracle-ee (for RDS Custom for Oracle DB instances)\n\n  - custom-oracle-ee-cdb (for RDS Custom for Oracle DB instances)\n\n  - custom-oracle-se2 (for RDS Custom for Oracle DB instances)\n\n  - custom-oracle-se2-cdb (for RDS Custom for Oracle DB instances)\n\n  - custom-sqlserver-ee (for RDS Custom for SQL Server DB instances)\n\n  - custom-sqlserver-se (for RDS Custom for SQL Server DB instances)\n\n  - custom-sqlserver-web (for RDS Custom for SQL Server DB instances)\n\n  - custom-sqlserver-dev (for RDS Custom for SQL Server DB instances)\n\n  - db2-ae\n\n  - db2-se\n\n  - mariadb\n\n  - mysql\n\n  - oracle-ee\n\n  - oracle-ee-cdb\n\n  - oracle-se2\n\n  - oracle-se2-cdb\n\n  - postgres\n\n  - sqlserver-ee\n\n  - sqlserver-se\n\n  - sqlserver-ex\n\n  - sqlserver-web","type":"string"},"engineVersion":{"description":"The version number of the database engine to use.\n\nThis setting doesn't apply to Amazon Aurora DB instances. The version number\nof the database engine the DB instance uses is managed by the DB cluster.\n\nFor a list of valid engine versions, use the DescribeDBEngineVersions operation.\n\nThe following are the database engines and links to information about the\nmajor and minor versions that are available with Amazon RDS. Not every database\nengine is available for every Amazon Web Services Region.\n\n# Amazon RDS Custom for Oracle\n\nA custom engine version (CEV) that you have previously created. This setting\nis required for RDS Custom for Oracle. The CEV name has the following format:\n19.customized_string. A valid CEV name is 19.my_cev1. For more information,\nsee Creating an RDS Custom for Oracle DB instance (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-creating.html#custom-creating.create)\nin the Amazon RDS User Guide.\n\n# Amazon RDS Custom for SQL Server\n\nSee RDS Custom for SQL Server general requirements (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-reqs-limits-MS.html)\nin the Amazon RDS User Guide.\n\n# RDS for Db2\n\nFor information, see Db2 on Amazon RDS versions (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Db2.html#Db2.Concepts.VersionMgmt)\nin the Amazon RDS User Guide.\n\n# RDS for MariaDB\n\nFor information, see MariaDB on Amazon RDS versions (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MariaDB.html#MariaDB.Concepts.VersionMgmt)\nin the Amazon RDS User Guide.\n\n# RDS for Microsoft SQL Server\n\nFor information, see Microsoft SQL Server versions on Amazon RDS (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.VersionSupport)\nin the Amazon RDS User Guide.\n\n# RDS for MySQL\n\nFor information, see MySQL on Amazon RDS versions (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt)\nin the Amazon RDS User Guide.\n\n# RDS for Oracle\n\nFor information, see Oracle Database Engine release notes (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.PatchComposition.html)\nin the Amazon RDS User Guide.\n\n# RDS for PostgreSQL\n\nFor information, see Amazon RDS for PostgreSQL versions and extensions (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts)\nin the Amazon RDS User Guide.","type":"string"},"iops":{"description":"The amount of Provisioned IOPS (input/output operations per second) to initially\nallocate for the DB instance. For information about valid IOPS values, see\nAmazon RDS DB instance storage (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html)\nin the Amazon RDS User Guide.\n\nThis setting doesn't apply to Amazon Aurora DB instances. Storage is managed\nby the DB cluster.\n\nConstraints:\n\n  - For RDS for Db2, MariaDB, MySQL, Oracle, and PostgreSQL - Must be a\n    multiple between .5 and 50 of the storage amount for the DB instance.\n\n  - For RDS for SQL Server - Must be a multiple between 1 and 50 of the\n    storage amount for the DB instance.","type":"integer","format":"int64"},"kmsKeyID":{"description":"The Amazon Web Services KMS key identifier for an encrypted DB instance.\n\nThe Amazon Web Services KMS key identifier is the key ARN, key ID, alias\nARN, or alias name for the KMS key. To use a KMS key in a different Amazon\nWeb Services account, specify the key ARN or alias ARN.\n\nThis setting doesn't apply to Amazon Aurora DB instances. The Amazon Web\nServices KMS key identifier is managed by the DB cluster. For more information,\nsee CreateDBCluster.\n\nIf StorageEncrypted is enabled, and you do not specify a value for the KmsKeyId\nparameter, then Amazon RDS uses your default KMS key. There is a default\nKMS key for your Amazon Web Services account. Your Amazon Web Services account\nhas a different default KMS key for each Amazon Web Services Region.\n\nFor Amazon RDS Custom, a KMS key is required for DB instances. For most RDS\nengines, if you leave this parameter empty while enabling StorageEncrypted,\nthe engine uses the default KMS key. However, RDS Custom doesn't use the\ndefault key when this parameter is empty. You must explicitly specify a key.","type":"string"},"kmsKeyRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"licenseModel":{"description":"The license model information for this DB instance.\n\nLicense models for RDS for Db2 require additional configuration. The Bring\nYour Own License (BYOL) model requires a custom parameter group and an Amazon\nWeb Services License Manager self-managed license. The Db2 license through\nAmazon Web Services Marketplace model requires an Amazon Web Services Marketplace\nsubscription. For more information, see Amazon RDS for Db2 licensing options\n(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-licensing.html)\nin the Amazon RDS User Guide.\n\nThe default for RDS for Db2 is bring-your-own-license.\n\nThis setting doesn't apply to Amazon Aurora or RDS Custom DB instances.\n\nValid Values:\n\n  - RDS for Db2 - bring-your-own-license | marketplace-license\n\n  - RDS for MariaDB - general-public-license\n\n  - RDS for Microsoft SQL Server - license-included\n\n  - RDS for MySQL - general-public-license\n\n  - RDS for Oracle - bring-your-own-license | license-included\n\n  - RDS for PostgreSQL - postgresql-license","type":"string"},"manageMasterUserPassword":{"description":"Specifies whether to manage the master user password with Amazon Web Services\nSecrets Manager.\n\nFor more information, see Password management with Amazon Web Services Secrets\nManager (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html)\nin the Amazon RDS User Guide.\n\nConstraints:\n\n  - Can't manage the master user password with Amazon Web Services Secrets\n    Manager if MasterUserPassword is specified.","type":"boolean"},"masterUserPassword":{"description":"The password for the master user.\n\nThis setting doesn't apply to Amazon Aurora DB instances. The password for\nthe master user is managed by the DB cluster.\n\nConstraints:\n\n  - Can't be specified if ManageMasterUserPassword is turned on.\n\n  - Can include any printable ASCII character except \"/\", \"\"\", or \"@\". For\n    RDS for Oracle, can't include the \"&\" (ampersand) or the \"'\" (single quotes)\n    character.\n\nLength Constraints:\n\n  - RDS for Db2 - Must contain from 8 to 255 characters.\n\n  - RDS for MariaDB - Must contain from 8 to 41 characters.\n\n  - RDS for Microsoft SQL Server - Must contain from 8 to 128 characters.\n\n  - RDS for MySQL - Must contain from 8 to 41 characters.\n\n  - RDS for Oracle - Must contain from 8 to 30 characters.\n\n  - RDS for PostgreSQL - Must contain from 8 to 128 characters.","type":"object","required":["key"],"properties":{"key":{"description":"Key is the key within the secret","type":"string"},"name":{"description":"name is unique within a namespace to reference a secret resource.","type":"string"},"namespace":{"description":"namespace defines the space within which the secret name must be unique.","type":"string"}},"x-kubernetes-map-type":"atomic"},"masterUserSecretKMSKeyID":{"description":"The Amazon Web Services KMS key identifier to encrypt a secret that is automatically\ngenerated and managed in Amazon Web Services Secrets Manager.\n\nThis setting is valid only if the master user password is managed by RDS\nin Amazon Web Services Secrets Manager for the DB instance.\n\nThe Amazon Web Services KMS key identifier is the key ARN, key ID, alias\nARN, or alias name for the KMS key. To use a KMS key in a different Amazon\nWeb Services account, specify the key ARN or alias ARN.\n\nIf you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager\nKMS key is used to encrypt the secret. If the secret is in a different Amazon\nWeb Services account, then you can't use the aws/secretsmanager KMS key to\nencrypt the secret, and you must use a customer managed KMS key.\n\nThere is a default KMS key for your Amazon Web Services account. Your Amazon\nWeb Services account has a different default KMS key for each Amazon Web\nServices Region.","type":"string"},"masterUserSecretKMSKeyRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"masterUsername":{"description":"The name for the master user.\n\nThis setting doesn't apply to Amazon Aurora DB instances. The name for the\nmaster user is managed by the DB cluster.\n\nThis setting is required for RDS DB instances.\n\nConstraints:\n\n  - Must be 1 to 16 letters, numbers, or underscores.\n\n  - First character must be a letter.\n\n  - Can't be a reserved word for the chosen database engine.","type":"string"},"maxAllocatedStorage":{"description":"The upper limit in gibibytes (GiB) to which Amazon RDS can automatically\nscale the storage of the DB instance.\n\nFor more information about this setting, including limitations that apply\nto it, see Managing capacity automatically with Amazon RDS storage autoscaling\n(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PIOPS.StorageTypes.html#USER_PIOPS.Autoscaling)\nin the Amazon RDS User Guide.\n\nThis setting doesn't apply to the following DB instances:\n\n  - Amazon Aurora (Storage is managed by the DB cluster.)\n\n  - RDS Custom","type":"integer","format":"int64"},"monitoringInterval":{"description":"The interval, in seconds, between points when Enhanced Monitoring metrics\nare collected for the DB instance. To disable collection of Enhanced Monitoring\nmetrics, specify 0.\n\nIf MonitoringRoleArn is specified, then you must set MonitoringInterval to\na value other than 0.\n\nThis setting doesn't apply to RDS Custom DB instances.\n\nValid Values: 0 | 1 | 5 | 10 | 15 | 30 | 60\n\nDefault: 0","type":"integer","format":"int64"},"monitoringRoleARN":{"description":"The ARN for the IAM role that permits RDS to send enhanced monitoring metrics\nto Amazon CloudWatch Logs. For example, arn:aws:iam:123456789012:role/emaccess.\nFor information on creating a monitoring role, see Setting Up and Enabling\nEnhanced Monitoring (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html#USER_Monitoring.OS.Enabling)\nin the Amazon RDS User Guide.\n\nIf MonitoringInterval is set to a value other than 0, then you must supply\na MonitoringRoleArn value.\n\nThis setting doesn't apply to RDS Custom DB instances.","type":"string"},"multiAZ":{"description":"Specifies whether the DB instance is a Multi-AZ deployment. You can't set\nthe AvailabilityZone parameter if the DB instance is a Multi-AZ deployment.\n\nThis setting doesn't apply to the following DB instances:\n\n  - Amazon Aurora (DB instance Availability Zones (AZs) are managed by the\n    DB cluster.)\n\n  - RDS Custom","type":"boolean"},"ncharCharacterSetName":{"description":"The name of the NCHAR character set for the Oracle DB instance.\n\nThis setting doesn't apply to RDS Custom DB instances.","type":"string"},"networkType":{"description":"The network type of the DB instance.\n\nThe network type is determined by the DBSubnetGroup specified for the DB\ninstance. A DBSubnetGroup can support only the IPv4 protocol or the IPv4\nand the IPv6 protocols (DUAL).\n\nFor more information, see Working with a DB instance in a VPC (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html)\nin the Amazon RDS User Guide.\n\nValid Values: IPV4 | DUAL","type":"string"},"optionGroupName":{"description":"The option group to associate the DB instance with.\n\nPermanent options, such as the TDE option for Oracle Advanced Security TDE,\ncan't be removed from an option group. Also, that option group can't be removed\nfrom a DB instance after it is associated with a DB instance.\n\nThis setting doesn't apply to Amazon Aurora or RDS Custom DB instances.","type":"string"},"performanceInsightsEnabled":{"description":"Specifies whether to enable Performance Insights for the DB instance. For\nmore information, see Using Amazon Performance Insights (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.html)\nin the Amazon RDS User Guide.\n\nThis setting doesn't apply to RDS Custom DB instances.","type":"boolean"},"performanceInsightsKMSKeyID":{"description":"The Amazon Web Services KMS key identifier for encryption of Performance\nInsights data.\n\nThe Amazon Web Services KMS key identifier is the key ARN, key ID, alias\nARN, or alias name for the KMS key.\n\nIf you don't specify a value for PerformanceInsightsKMSKeyId, then Amazon\nRDS uses your default KMS key. There is a default KMS key for your Amazon\nWeb Services account. Your Amazon Web Services account has a different default\nKMS key for each Amazon Web Services Region.\n\nThis setting doesn't apply to RDS Custom DB instances.","type":"string"},"performanceInsightsRetentionPeriod":{"description":"The number of days to retain Performance Insights data.\n\nThis setting doesn't apply to RDS Custom DB instances.\n\nValid Values:\n\n  - 7\n\n  - month * 31, where month is a number of months from 1-23. Examples: 93\n    (3 months * 31), 341 (11 months * 31), 589 (19 months * 31)\n\n  - 731\n\nDefault: 7 days\n\nIf you specify a retention period that isn't valid, such as 94, Amazon RDS\nreturns an error.","type":"integer","format":"int64"},"port":{"description":"The port number on which the database accepts connections.\n\nThis setting doesn't apply to Aurora DB instances. The port number is managed\nby the cluster.\n\nValid Values: 1150-65535\n\nDefault:\n\n  - RDS for Db2 - 50000\n\n  - RDS for MariaDB - 3306\n\n  - RDS for Microsoft SQL Server - 1433\n\n  - RDS for MySQL - 3306\n\n  - RDS for Oracle - 1521\n\n  - RDS for PostgreSQL - 5432\n\nConstraints:\n\n  - For RDS for Microsoft SQL Server, the value can't be 1234, 1434, 3260,\n    3343, 3389, 47001, or 49152-49156.","type":"integer","format":"int64"},"preSignedURL":{"description":"When you are creating a read replica from one Amazon Web Services GovCloud\n(US) Region to another or from one China Amazon Web Services Region to another,\nthe URL that contains a Signature Version 4 signed request for the CreateDBInstanceReadReplica\nAPI operation in the source Amazon Web Services Region that contains the\nsource DB instance.\n\nThis setting applies only to Amazon Web Services GovCloud (US) Regions and\nChina Amazon Web Services Regions. It's ignored in other Amazon Web Services\nRegions.\n\nThis setting applies only when replicating from a source DB instance. Source\nDB clusters aren't supported in Amazon Web Services GovCloud (US) Regions\nand China Amazon Web Services Regions.\n\nYou must specify this parameter when you create an encrypted read replica\nfrom another Amazon Web Services Region by using the Amazon RDS API. Don't\nspecify PreSignedUrl when you are creating an encrypted read replica in the\nsame Amazon Web Services Region.\n\nThe presigned URL must be a valid request for the CreateDBInstanceReadReplica\nAPI operation that can run in the source Amazon Web Services Region that\ncontains the encrypted source DB instance. The presigned URL request must\ncontain the following parameter values:\n\n  - DestinationRegion - The Amazon Web Services Region that the encrypted\n    read replica is created in. This Amazon Web Services Region is the same\n    one where the CreateDBInstanceReadReplica operation is called that contains\n    this presigned URL. For example, if you create an encrypted DB instance\n    in the us-west-1 Amazon Web Services Region, from a source DB instance\n    in the us-east-2 Amazon Web Services Region, then you call the CreateDBInstanceReadReplica\n    operation in the us-east-1 Amazon Web Services Region and provide a presigned\n    URL that contains a call to the CreateDBInstanceReadReplica operation\n    in the us-west-2 Amazon Web Services Region. For this example, the DestinationRegion\n    in the presigned URL must be set to the us-east-1 Amazon Web Services\n    Region.\n\n  - KmsKeyId - The KMS key identifier for the key to use to encrypt the\n    read replica in the destination Amazon Web Services Region. This is the\n    same identifier for both the CreateDBInstanceReadReplica operation that\n    is called in the destination Amazon Web Services Region, and the operation\n    contained in the presigned URL.\n\n  - SourceDBInstanceIdentifier - The DB instance identifier for the encrypted\n    DB instance to be replicated. This identifier must be in the Amazon Resource\n    Name (ARN) format for the source Amazon Web Services Region. For example,\n    if you are creating an encrypted read replica from a DB instance in the\n    us-west-2 Amazon Web Services Region, then your SourceDBInstanceIdentifier\n    looks like the following example: arn:aws:rds:us-west-2:123456789012:instance:mysql-instance1-20161115.\n\nTo learn how to generate a Signature Version 4 signed request, see Authenticating\nRequests: Using Query Parameters (Amazon Web Services Signature Version 4)\n(https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html)\nand Signature Version 4 Signing Process (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html).\n\nIf you are using an Amazon Web Services SDK tool or the CLI, you can specify\nSourceRegion (or --source-region for the CLI) instead of specifying PreSignedUrl\nmanually. Specifying SourceRegion autogenerates a presigned URL that is a\nvalid request for the operation that can run in the source Amazon Web Services\nRegion.\n\nThis setting doesn't apply to RDS Custom DB instances.","type":"string"},"preferredBackupWindow":{"description":"The daily time range during which automated backups are created if automated\nbackups are enabled, using the BackupRetentionPeriod parameter. The default\nis a 30-minute window selected at random from an 8-hour block of time for\neach Amazon Web Services Region. For more information, see Backup window\n(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupWindow)\nin the Amazon RDS User Guide.\n\nThis setting doesn't apply to Amazon Aurora DB instances. The daily time\nrange for creating automated backups is managed by the DB cluster.\n\nConstraints:\n\n  - Must be in the format hh24:mi-hh24:mi.\n\n  - Must be in Universal Coordinated Time (UTC).\n\n  - Must not conflict with the preferred maintenance window.\n\n  - Must be at least 30 minutes.","type":"string"},"preferredMaintenanceWindow":{"description":"The time range each week during which system maintenance can occur. For more\ninformation, see Amazon RDS Maintenance Window (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Maintenance.html#Concepts.DBMaintenance)\nin the Amazon RDS User Guide.\n\nThe default is a 30-minute window selected at random from an 8-hour block\nof time for each Amazon Web Services Region, occurring on a random day of\nthe week.\n\nConstraints:\n\n  - Must be in the format ddd:hh24:mi-ddd:hh24:mi.\n\n  - The day values must be mon | tue | wed | thu | fri | sat | sun.\n\n  - Must be in Universal Coordinated Time (UTC).\n\n  - Must not conflict with the preferred backup window.\n\n  - Must be at least 30 minutes.","type":"string"},"processorFeatures":{"description":"The number of CPU cores and the number of threads per core for the DB instance\nclass of the DB instance.\n\nThis setting doesn't apply to Amazon Aurora or RDS Custom DB instances.","type":"array","items":{"description":"Contains the processor features of a DB instance class.\n\nTo specify the number of CPU cores, use the coreCount feature name for the\nName parameter. To specify the number of threads per core, use the threadsPerCore\nfeature name for the Name parameter.\n\nYou can set the processor features of the DB instance class for a DB instance\nwhen you call one of the following actions:\n\n  - CreateDBInstance\n\n  - ModifyDBInstance\n\n  - RestoreDBInstanceFromDBSnapshot\n\n  - RestoreDBInstanceFromS3\n\n  - RestoreDBInstanceToPointInTime\n\nYou can view the valid processor values for a particular instance class by\ncalling the DescribeOrderableDBInstanceOptions action and specifying the\ninstance class for the DBInstanceClass parameter.\n\nIn addition, you can use the following actions for DB instance class processor\ninformation:\n\n  - DescribeDBInstances\n\n  - DescribeDBSnapshots\n\n  - DescribeValidDBInstanceModifications\n\nIf you call DescribeDBInstances, ProcessorFeature returns non-null values\nonly if the following conditions are met:\n\n  - You are accessing an Oracle DB instance.\n\n  - Your Oracle DB instance class supports configuring the number of CPU\n    cores and threads per core.\n\n  - The current number CPU cores and threads is set to a non-default value.\n\nFor more information, see Configuring the processor for a DB instance class\nin RDS for Oracle (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html#USER_ConfigureProcessor)\nin the Amazon RDS User Guide.","type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"promotionTier":{"description":"The order of priority in which an Aurora Replica is promoted to the primary\ninstance after a failure of the existing primary instance. For more information,\nsee Fault Tolerance for an Aurora DB Cluster (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.AuroraHighAvailability.html#Aurora.Managing.FaultTolerance)\nin the Amazon Aurora User Guide.\n\nThis setting doesn't apply to RDS Custom DB instances.\n\nDefault: 1\n\nValid Values: 0 - 15","type":"integer","format":"int64"},"publiclyAccessible":{"description":"Specifies whether the DB instance is publicly accessible.\n\nWhen the DB instance is publicly accessible and you connect from outside\nof the DB instance's virtual private cloud (VPC), its Domain Name System\n(DNS) endpoint resolves to the public IP address. When you connect from within\nthe same VPC as the DB instance, the endpoint resolves to the private IP\naddress. Access to the DB instance is ultimately controlled by the security\ngroup it uses. That public access is not permitted if the security group\nassigned to the DB instance doesn't permit it.\n\nWhen the DB instance isn't publicly accessible, it is an internal DB instance\nwith a DNS name that resolves to a private IP address.\n\nDefault: The default behavior varies depending on whether DBSubnetGroupName\nis specified.\n\nIf DBSubnetGroupName isn't specified, and PubliclyAccessible isn't specified,\nthe following applies:\n\n  - If the default VPC in the target Region doesn’t have an internet gateway\n    attached to it, the DB instance is private.\n\n  - If the default VPC in the target Region has an internet gateway attached\n    to it, the DB instance is public.\n\nIf DBSubnetGroupName is specified, and PubliclyAccessible isn't specified,\nthe following applies:\n\n  - If the subnets are part of a VPC that doesn’t have an internet gateway\n    attached to it, the DB instance is private.\n\n  - If the subnets are part of a VPC that has an internet gateway attached\n    to it, the DB instance is public.","type":"boolean"},"replicaMode":{"description":"The open mode of the replica database: mounted or read-only.\n\nThis parameter is only supported for Oracle DB instances.\n\nMounted DB replicas are included in Oracle Database Enterprise Edition. The\nmain use case for mounted replicas is cross-Region disaster recovery. The\nprimary database doesn't use Active Data Guard to transmit information to\nthe mounted replica. Because it doesn't accept user connections, a mounted\nreplica can't serve a read-only workload.\n\nYou can create a combination of mounted and read-only DB replicas for the\nsame primary DB instance. For more information, see Working with Oracle Read\nReplicas for Amazon RDS (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-read-replicas.html)\nin the Amazon RDS User Guide.\n\nFor RDS Custom, you must specify this parameter and set it to mounted. The\nvalue won't be set by default. After replica creation, you can manage the\nopen mode manually.","type":"string"},"sourceDBInstanceIdentifier":{"description":"The identifier of the DB instance that will act as the source for the read\nreplica. Each DB instance can have up to 15 read replicas, with the exception\nof Oracle and SQL Server, which can have up to five.\n\nConstraints:\n\n  - Must be the identifier of an existing Db2, MariaDB, MySQL, Oracle, PostgreSQL,\n    or SQL Server DB instance.\n\n  - Can't be specified if the SourceDBClusterIdentifier parameter is also\n    specified.\n\n  - For the limitations of Oracle read replicas, see Version and licensing\n    considerations for RDS for Oracle replicas (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-read-replicas.limitations.html#oracle-read-replicas.limitations.versions-and-licenses)\n    in the Amazon RDS User Guide.\n\n  - For the limitations of SQL Server read replicas, see Read replica limitations\n    with SQL Server (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.ReadReplicas.html#SQLServer.ReadReplicas.Limitations)\n    in the Amazon RDS User Guide.\n\n  - The specified DB instance must have automatic backups enabled, that\n    is, its backup retention period must be greater than 0.\n\n  - If the source DB instance is in the same Amazon Web Services Region\n    as the read replica, specify a valid DB instance identifier.\n\n  - If the source DB instance is in a different Amazon Web Services Region\n    from the read replica, specify a valid DB instance ARN. For more information,\n    see Constructing an ARN for Amazon RDS (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.ARN.html#USER_Tagging.ARN.Constructing)\n    in the Amazon RDS User Guide. This doesn't apply to SQL Server or RDS\n    Custom, which don't support cross-Region replicas.","type":"string"},"sourceRegion":{"description":"SourceRegion is the source region where the resource exists. This is not\nsent over the wire and is only used for presigning. This value should always\nhave the same region as the source ARN.","type":"string"},"storageEncrypted":{"description":"Specifes whether the DB instance is encrypted. By default, it isn't encrypted.\n\nFor RDS Custom DB instances, either enable this setting or leave it unset.\nOtherwise, Amazon RDS reports an error.\n\nThis setting doesn't apply to Amazon Aurora DB instances. The encryption\nfor DB instances is managed by the DB cluster.","type":"boolean"},"storageThroughput":{"description":"The storage throughput value for the DB instance.\n\nThis setting applies only to the gp3 storage type.\n\nThis setting doesn't apply to Amazon Aurora or RDS Custom DB instances.","type":"integer","format":"int64"},"storageType":{"description":"The storage type to associate with the DB instance.\n\nIf you specify io1, io2, or gp3, you must also include a value for the Iops\nparameter.\n\nThis setting doesn't apply to Amazon Aurora DB instances. Storage is managed\nby the DB cluster.\n\nValid Values: gp2 | gp3 | io1 | io2 | standard\n\nDefault: io1, if the Iops parameter is specified. Otherwise, gp2.","type":"string"},"tags":{"description":"Tags to assign to the DB instance.","type":"array","items":{"description":"Metadata assigned to an Amazon RDS resource consisting of a key-value pair.\n\nFor more information, see Tagging Amazon RDS resources (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html)\nin the Amazon RDS User Guide or Tagging Amazon Aurora and Amazon RDS resources\n(https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html)\nin the Amazon Aurora User Guide.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"tdeCredentialARN":{"description":"The ARN from the key store with which to associate the instance for TDE encryption.\n\nThis setting doesn't apply to Amazon Aurora or RDS Custom DB instances.","type":"string"},"tdeCredentialPassword":{"description":"The password for the given ARN from the key store in order to access the\ndevice.\n\nThis setting doesn't apply to RDS Custom DB instances.","type":"string"},"timezone":{"description":"The time zone of the DB instance. The time zone parameter is currently supported\nonly by RDS for Db2 (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-time-zone)\nand RDS for SQL Server (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.TimeZone).","type":"string"},"useDefaultProcessorFeatures":{"description":"Specifies whether the DB instance class of the DB instance uses its default\nprocessor features.\n\nThis setting doesn't apply to RDS Custom.","type":"boolean"},"vpcSecurityGroupIDs":{"description":"A list of Amazon EC2 VPC security groups to associate with this DB instance.\n\nThis setting doesn't apply to Amazon Aurora DB instances. The associated\nlist of EC2 VPC security groups is managed by the DB cluster.\n\nDefault: The default EC2 VPC security group for the DB subnet group's VPC.","type":"array","items":{"type":"string"}},"vpcSecurityGroupRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}}}},"status":{"description":"DBInstanceStatus defines the observed state of DBInstance","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"activityStreamEngineNativeAuditFieldsIncluded":{"description":"Indicates whether engine-native audit fields are included in the database\nactivity stream.","type":"boolean"},"activityStreamKMSKeyID":{"description":"The Amazon Web Services KMS key identifier used for encrypting messages in\nthe database activity stream. The Amazon Web Services KMS key identifier\nis the key ARN, key ID, alias ARN, or alias name for the KMS key.","type":"string"},"activityStreamKinesisStreamName":{"description":"The name of the Amazon Kinesis data stream used for the database activity\nstream.","type":"string"},"activityStreamMode":{"description":"The mode of the database activity stream. Database events such as a change\nor access generate an activity stream event. RDS for Oracle always handles\nthese events asynchronously.","type":"string"},"activityStreamPolicyStatus":{"description":"The status of the policy state of the activity stream.","type":"string"},"activityStreamStatus":{"description":"The status of the database activity stream.","type":"string"},"associatedRoles":{"description":"The Amazon Web Services Identity and Access Management (IAM) roles associated\nwith the DB instance.","type":"array","items":{"description":"Information about an Amazon Web Services Identity and Access Management (IAM)\nrole that is associated with a DB instance.","type":"object","properties":{"featureName":{"type":"string"},"roleARN":{"type":"string"},"status":{"type":"string"}}}},"automaticRestartTime":{"description":"The time when a stopped DB instance is restarted automatically.","type":"string","format":"date-time"},"automationMode":{"description":"The automation mode of the RDS Custom DB instance: full or all paused. If\nfull, the DB instance automates monitoring and instance recovery. If all\npaused, the instance pauses automation for the duration set by --resume-full-automation-mode-minutes.","type":"string"},"awsBackupRecoveryPointARN":{"description":"The Amazon Resource Name (ARN) of the recovery point in Amazon Web Services\nBackup.","type":"string"},"certificateDetails":{"description":"The details of the DB instance's server certificate.","type":"object","properties":{"cAIdentifier":{"type":"string"},"validTill":{"type":"string","format":"date-time"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"customerOwnedIPEnabled":{"description":"Indicates whether a customer-owned IP address (CoIP) is enabled for an RDS\non Outposts DB instance.\n\nA CoIP provides local or external connectivity to resources in your Outpost\nsubnets through your on-premises network. For some use cases, a CoIP can\nprovide lower latency for connections to the DB instance from outside of\nits virtual private cloud (VPC) on your local network.\n\nFor more information about RDS on Outposts, see Working with Amazon RDS on\nAmazon Web Services Outposts (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-on-outposts.html)\nin the Amazon RDS User Guide.\n\nFor more information about CoIPs, see Customer-owned IP addresses (https://docs.aws.amazon.com/outposts/latest/userguide/routing.html#ip-addressing)\nin the Amazon Web Services Outposts User Guide.","type":"boolean"},"dbInstanceAutomatedBackupsReplications":{"description":"The list of replicated automated backups associated with the DB instance.","type":"array","items":{"description":"Automated backups of a DB instance replicated to another Amazon Web Services\nRegion. They consist of system backups, transaction logs, and database instance\nproperties.","type":"object","properties":{"dbInstanceAutomatedBackupsARN":{"type":"string"}}}},"dbInstancePort":{"description":"The port that the DB instance listens on. If the DB instance is part of a\nDB cluster, this can be a different port than the DB cluster port.","type":"integer","format":"int64"},"dbInstanceStatus":{"description":"The current state of this database.\n\nFor information about DB instance statuses, see Viewing DB instance status\n(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/accessing-monitoring.html#Overview.DBInstance.Status)\nin the Amazon RDS User Guide.","type":"string"},"dbParameterGroups":{"description":"The list of DB parameter groups applied to this DB instance.","type":"array","items":{"description":"The status of the DB parameter group.\n\nThis data type is used as a response element in the following actions:\n\n  - CreateDBInstance\n\n  - CreateDBInstanceReadReplica\n\n  - DeleteDBInstance\n\n  - ModifyDBInstance\n\n  - RebootDBInstance\n\n  - RestoreDBInstanceFromDBSnapshot","type":"object","properties":{"dbParameterGroupName":{"type":"string"},"parameterApplyStatus":{"type":"string"}}}},"dbSubnetGroup":{"description":"Information about the subnet group associated with the DB instance, including\nthe name, description, and subnets in the subnet group.","type":"object","properties":{"dbSubnetGroupARN":{"type":"string"},"dbSubnetGroupDescription":{"type":"string"},"dbSubnetGroupName":{"type":"string"},"subnetGroupStatus":{"type":"string"},"subnets":{"type":"array","items":{"description":"This data type is used as a response element for the DescribeDBSubnetGroups\noperation.","type":"object","properties":{"subnetAvailabilityZone":{"description":"Contains Availability Zone information.\n\nThis data type is used as an element in the OrderableDBInstanceOption data\ntype.","type":"object","properties":{"name":{"type":"string"}}},"subnetIdentifier":{"type":"string"},"subnetOutpost":{"description":"A data type that represents an Outpost.\n\nFor more information about RDS on Outposts, see Amazon RDS on Amazon Web\nServices Outposts (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-on-outposts.html)\nin the Amazon RDS User Guide.","type":"object","properties":{"arn":{"type":"string"}}},"subnetStatus":{"type":"string"}}}},"supportedNetworkTypes":{"type":"array","items":{"type":"string"}},"vpcID":{"type":"string"}}},"dbSystemID":{"description":"The Oracle system ID (Oracle SID) for a container database (CDB). The Oracle\nSID is also the name of the CDB. This setting is only valid for RDS Custom\nDB instances.","type":"string"},"dbiResourceID":{"description":"The Amazon Web Services Region-unique, immutable identifier for the DB instance.\nThis identifier is found in Amazon Web Services CloudTrail log entries whenever\nthe Amazon Web Services KMS key for the DB instance is accessed.","type":"string"},"domainMemberships":{"description":"The Active Directory Domain membership records associated with the DB instance.","type":"array","items":{"description":"An Active Directory Domain membership record associated with the DB instance\nor cluster.","type":"object","properties":{"domain":{"type":"string"},"fQDN":{"type":"string"},"iamRoleName":{"type":"string"},"status":{"type":"string"}}}},"enabledCloudwatchLogsExports":{"description":"A list of log types that this DB instance is configured to export to CloudWatch\nLogs.\n\nLog types vary by DB engine. For information about the log types for each\nDB engine, see Monitoring Amazon RDS log files (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html)\nin the Amazon RDS User Guide.","type":"array","items":{"type":"string"}},"endpoint":{"description":"The connection endpoint for the DB instance.\n\nThe endpoint might not be shown for instances with the status of creating.","type":"object","properties":{"address":{"type":"string"},"hostedZoneID":{"type":"string"},"port":{"type":"integer","format":"int64"}}},"enhancedMonitoringResourceARN":{"description":"The Amazon Resource Name (ARN) of the Amazon CloudWatch Logs log stream that\nreceives the Enhanced Monitoring metrics data for the DB instance.","type":"string"},"iamDatabaseAuthenticationEnabled":{"description":"Indicates whether mapping of Amazon Web Services Identity and Access Management\n(IAM) accounts to database accounts is enabled for the DB instance.\n\nFor a list of engine versions that support IAM database authentication, see\nIAM database authentication (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RDS_Fea_Regions_DB-eng.Feature.IamDatabaseAuthentication.html)\nin the Amazon RDS User Guide and IAM database authentication in Aurora (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.Aurora_Fea_Regions_DB-eng.Feature.IAMdbauth.html)\nin the Amazon Aurora User Guide.","type":"boolean"},"instanceCreateTime":{"description":"The date and time when the DB instance was created.","type":"string","format":"date-time"},"latestRestorableTime":{"description":"The latest time to which a database in this DB instance can be restored with\npoint-in-time restore.","type":"string","format":"date-time"},"listenerEndpoint":{"description":"The listener connection endpoint for SQL Server Always On.","type":"object","properties":{"address":{"type":"string"},"hostedZoneID":{"type":"string"},"port":{"type":"integer","format":"int64"}}},"masterUserSecret":{"description":"The secret managed by RDS in Amazon Web Services Secrets Manager for the\nmaster user password.\n\nFor more information, see Password management with Amazon Web Services Secrets\nManager (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html)\nin the Amazon RDS User Guide.","type":"object","properties":{"kmsKeyID":{"type":"string"},"secretARN":{"type":"string"},"secretStatus":{"type":"string"}}},"optionGroupMemberships":{"description":"The list of option group memberships for this DB instance.","type":"array","items":{"description":"Provides information on the option groups the DB instance is a member of.","type":"object","properties":{"optionGroupName":{"type":"string"},"status":{"type":"string"}}}},"pendingModifiedValues":{"description":"Information about pending changes to the DB instance. This information is\nreturned only when there are pending changes. Specific changes are identified\nby subelements.","type":"object","properties":{"allocatedStorage":{"type":"integer","format":"int64"},"automationMode":{"type":"string"},"backupRetentionPeriod":{"type":"integer","format":"int64"},"caCertificateIdentifier":{"type":"string"},"dbInstanceClass":{"type":"string"},"dbInstanceIdentifier":{"type":"string"},"dbSubnetGroupName":{"type":"string"},"engineVersion":{"type":"string"},"iamDatabaseAuthenticationEnabled":{"type":"boolean"},"iops":{"type":"integer","format":"int64"},"licenseModel":{"type":"string"},"masterUserPassword":{"type":"string"},"multiAZ":{"type":"boolean"},"pendingCloudwatchLogsExports":{"description":"A list of the log types whose configuration is still pending. In other words,\nthese log types are in the process of being activated or deactivated.","type":"object","properties":{"logTypesToDisable":{"type":"array","items":{"type":"string"}},"logTypesToEnable":{"type":"array","items":{"type":"string"}}}},"port":{"type":"integer","format":"int64"},"processorFeatures":{"type":"array","items":{"description":"Contains the processor features of a DB instance class.\n\nTo specify the number of CPU cores, use the coreCount feature name for the\nName parameter. To specify the number of threads per core, use the threadsPerCore\nfeature name for the Name parameter.\n\nYou can set the processor features of the DB instance class for a DB instance\nwhen you call one of the following actions:\n\n  - CreateDBInstance\n\n  - ModifyDBInstance\n\n  - RestoreDBInstanceFromDBSnapshot\n\n  - RestoreDBInstanceFromS3\n\n  - RestoreDBInstanceToPointInTime\n\nYou can view the valid processor values for a particular instance class by\ncalling the DescribeOrderableDBInstanceOptions action and specifying the\ninstance class for the DBInstanceClass parameter.\n\nIn addition, you can use the following actions for DB instance class processor\ninformation:\n\n  - DescribeDBInstances\n\n  - DescribeDBSnapshots\n\n  - DescribeValidDBInstanceModifications\n\nIf you call DescribeDBInstances, ProcessorFeature returns non-null values\nonly if the following conditions are met:\n\n  - You are accessing an Oracle DB instance.\n\n  - Your Oracle DB instance class supports configuring the number of CPU\n    cores and threads per core.\n\n  - The current number CPU cores and threads is set to a non-default value.\n\nFor more information, see Configuring the processor for a DB instance class\nin RDS for Oracle (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html#USER_ConfigureProcessor)\nin the Amazon RDS User Guide.","type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"resumeFullAutomationModeTime":{"type":"string","format":"date-time"},"storageThroughput":{"type":"integer","format":"int64"},"storageType":{"type":"string"}}},"readReplicaDBClusterIdentifiers":{"description":"The identifiers of Aurora DB clusters to which the RDS DB instance is replicated\nas a read replica. For example, when you create an Aurora read replica of\nan RDS for MySQL DB instance, the Aurora MySQL DB cluster for the Aurora\nread replica is shown. This output doesn't contain information about cross-Region\nAurora read replicas.\n\nCurrently, each RDS DB instance can have only one Aurora read replica.","type":"array","items":{"type":"string"}},"readReplicaDBInstanceIdentifiers":{"description":"The identifiers of the read replicas associated with this DB instance.","type":"array","items":{"type":"string"}},"readReplicaSourceDBClusterIdentifier":{"description":"The identifier of the source DB cluster if this DB instance is a read replica.","type":"string"},"readReplicaSourceDBInstanceIdentifier":{"description":"The identifier of the source DB instance if this DB instance is a read replica.","type":"string"},"resumeFullAutomationModeTime":{"description":"The number of minutes to pause the automation. When the time period ends,\nRDS Custom resumes full automation. The minimum value is 60 (default). The\nmaximum value is 1,440.","type":"string","format":"date-time"},"secondaryAvailabilityZone":{"description":"If present, specifies the name of the secondary Availability Zone for a DB\ninstance with multi-AZ support.","type":"string"},"statusInfos":{"description":"The status of a read replica. If the DB instance isn't a read replica, the\nvalue is blank.","type":"array","items":{"description":"Provides a list of status information for a DB instance.","type":"object","properties":{"message":{"type":"string"},"normal":{"type":"boolean"},"status":{"type":"string"},"statusType":{"type":"string"}}}},"vpcSecurityGroups":{"description":"The list of Amazon EC2 VPC security groups that the DB instance belongs to.","type":"array","items":{"description":"This data type is used as a response element for queries on VPC security\ngroup membership.","type":"object","properties":{"status":{"type":"string"},"vpcSecurityGroupID":{"type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBInstance","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBInstance"},"aws.k8s.services.rds.v1alpha1.DBInstanceList":{"description":"DBInstanceList is a list of DBInstance","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbinstances. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.rds.v1alpha1.DBInstance"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBInstanceList","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBInstanceList"},"aws.k8s.services.rds.v1alpha1.DBParameterGroup":{"description":"DBParameterGroup is the Schema for the DBParameterGroups API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DBParameterGroupSpec defines the desired state of DBParameterGroup.\n\nContains the details of an Amazon RDS DB parameter group.\n\nThis data type is used as a response element in the DescribeDBParameterGroups\naction.","type":"object","required":["description","family","name"],"properties":{"description":{"description":"The description for the DB parameter group.","type":"string"},"family":{"description":"The DB parameter group family name. A DB parameter group can be associated\nwith one and only one DB parameter group family, and can be applied only\nto a DB instance running a database engine and engine version compatible\nwith that DB parameter group family.\n\nTo list all of the available parameter group families for a DB engine, use\nthe following command:\n\naws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\"\n--engine\n\nFor example, to list all of the available parameter group families for the\nMySQL DB engine, use the following command:\n\naws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\"\n--engine mysql\n\nThe output contains duplicates.\n\nThe following are the valid DB engine values:\n\n  - aurora-mysql\n\n  - aurora-postgresql\n\n  - db2-ae\n\n  - db2-se\n\n  - mysql\n\n  - oracle-ee\n\n  - oracle-ee-cdb\n\n  - oracle-se2\n\n  - oracle-se2-cdb\n\n  - postgres\n\n  - sqlserver-ee\n\n  - sqlserver-se\n\n  - sqlserver-ex\n\n  - sqlserver-web","type":"string"},"name":{"description":"The name of the DB parameter group.\n\nConstraints:\n\n  - Must be 1 to 255 letters, numbers, or hyphens.\n\n  - First character must be a letter\n\n  - Can't end with a hyphen or contain two consecutive hyphens\n\nThis value is stored as a lowercase string.","type":"string"},"parameterOverrides":{"description":"Map keys are the parameter name and the values are the parameter value.\n\nThese are ONLY user-defined parameter overrides for the DB parameter group.\n\nThis does not contain default or system parameters.","type":"object","additionalProperties":{"type":"string"}},"tags":{"description":"Tags to assign to the DB parameter group.","type":"array","items":{"description":"Metadata assigned to an Amazon RDS resource consisting of a key-value pair.\n\nFor more information, see Tagging Amazon RDS resources (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html)\nin the Amazon RDS User Guide or Tagging Amazon Aurora and Amazon RDS resources\n(https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html)\nin the Amazon Aurora User Guide.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"DBParameterGroupStatus defines the observed state of DBParameterGroup","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"parameterOverrideStatuses":{"description":"A list of Parameter values.","type":"array","items":{"description":"This data type is used as a request parameter in the ModifyDBParameterGroup\nand ResetDBParameterGroup actions.\n\nThis data type is used as a response element in the DescribeEngineDefaultParameters\nand DescribeDBParameters actions.","type":"object","properties":{"allowedValues":{"type":"string"},"applyMethod":{"type":"string"},"applyType":{"type":"string"},"dataType":{"type":"string"},"description":{"type":"string"},"isModifiable":{"type":"boolean"},"minimumEngineVersion":{"type":"string"},"parameterName":{"type":"string"},"parameterValue":{"type":"string"},"source":{"type":"string"},"supportedEngineModes":{"type":"array","items":{"type":"string"}}}}}}}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBParameterGroup","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBParameterGroup"},"aws.k8s.services.rds.v1alpha1.DBParameterGroupList":{"description":"DBParameterGroupList is a list of DBParameterGroup","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbparametergroups. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.rds.v1alpha1.DBParameterGroup"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBParameterGroupList","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBParameterGroupList"},"aws.k8s.services.rds.v1alpha1.DBProxy":{"description":"DBProxy is the Schema for the DBProxies API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DBProxySpec defines the desired state of DBProxy.\n\nThe data structure representing a proxy managed by the RDS Proxy.\n\nThis data type is used as a response element in the DescribeDBProxies action.","type":"object","required":["auth","engineFamily","name","roleARN","vpcSubnetIDs"],"properties":{"auth":{"description":"The authorization mechanism that the proxy uses.","type":"array","items":{"description":"Specifies the details of authentication used by a proxy to log in as a specific\ndatabase user.","type":"object","properties":{"authScheme":{"type":"string"},"clientPasswordAuthType":{"type":"string"},"description":{"type":"string"},"iamAuth":{"type":"string"},"secretARN":{"type":"string"},"userName":{"type":"string"}}}},"debugLogging":{"description":"Specifies whether the proxy includes detailed information about SQL statements\nin its logs. This information helps you to debug issues involving SQL behavior\nor the performance and scalability of the proxy connections. The debug information\nincludes the text of SQL statements that you submit through the proxy. Thus,\nonly enable this setting when needed for debugging, and only when you have\nsecurity measures in place to safeguard any sensitive information that appears\nin the logs.","type":"boolean"},"engineFamily":{"description":"The kinds of databases that the proxy can connect to. This value determines\nwhich database network protocol the proxy recognizes when it interprets network\ntraffic to and from the database. For Aurora MySQL, RDS for MariaDB, and\nRDS for MySQL databases, specify MYSQL. For Aurora PostgreSQL and RDS for\nPostgreSQL databases, specify POSTGRESQL. For RDS for Microsoft SQL Server,\nspecify SQLSERVER.","type":"string"},"idleClientTimeout":{"description":"The number of seconds that a connection to the proxy can be inactive before\nthe proxy disconnects it. You can set this value higher or lower than the\nconnection timeout limit for the associated database.","type":"integer","format":"int64"},"name":{"description":"The identifier for the proxy. This name must be unique for all proxies owned\nby your Amazon Web Services account in the specified Amazon Web Services\nRegion. An identifier must begin with a letter and must contain only ASCII\nletters, digits, and hyphens; it can't end with a hyphen or contain two consecutive\nhyphens.","type":"string"},"requireTLS":{"description":"Specifies whether Transport Layer Security (TLS) encryption is required for\nconnections to the proxy. By enabling this setting, you can enforce encrypted\nTLS connections to the proxy.","type":"boolean"},"roleARN":{"description":"The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access\nsecrets in Amazon Web Services Secrets Manager.","type":"string"},"tags":{"description":"An optional set of key-value pairs to associate arbitrary data of your choosing\nwith the proxy.","type":"array","items":{"description":"Metadata assigned to an Amazon RDS resource consisting of a key-value pair.\n\nFor more information, see Tagging Amazon RDS resources (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html)\nin the Amazon RDS User Guide or Tagging Amazon Aurora and Amazon RDS resources\n(https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html)\nin the Amazon Aurora User Guide.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"vpcSecurityGroupIDs":{"description":"One or more VPC security group IDs to associate with the new proxy.","type":"array","items":{"type":"string"}},"vpcSubnetIDs":{"description":"One or more VPC subnet IDs to associate with the new proxy.","type":"array","items":{"type":"string"}}}},"status":{"description":"DBProxyStatus defines the observed state of DBProxy","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"createdDate":{"description":"The date and time when the proxy was first created.","type":"string","format":"date-time"},"endpoint":{"description":"The endpoint that you can use to connect to the DB proxy. You include the\nendpoint value in the connection string for a database client application.","type":"string"},"status":{"description":"The current status of this proxy. A status of available means the proxy is\nready to handle requests. Other values indicate that you must wait for the\nproxy to be ready, or take some action to resolve an issue.","type":"string"},"updatedDate":{"description":"The date and time when the proxy was last updated.","type":"string","format":"date-time"},"vpcID":{"description":"Provides the VPC ID of the DB proxy.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBProxy","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBProxy"},"aws.k8s.services.rds.v1alpha1.DBProxyList":{"description":"DBProxyList is a list of DBProxy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbproxies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.rds.v1alpha1.DBProxy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBProxyList","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBProxyList"},"aws.k8s.services.rds.v1alpha1.DBSnapshot":{"description":"DBSnapshot is the Schema for the DBSnapshots API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DBSnapshotSpec defines the desired state of DBSnapshot.\n\nContains the details of an Amazon RDS DB snapshot.\n\nThis data type is used as a response element in the DescribeDBSnapshots action.","type":"object","required":["dbSnapshotIdentifier"],"properties":{"dbInstanceIdentifier":{"description":"The identifier of the DB instance that you want to create the snapshot of.\n\nConstraints:\n\n  - Must match the identifier of an existing DBInstance.","type":"string"},"dbInstanceIdentifierRef":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}},"dbSnapshotIdentifier":{"description":"The identifier for the DB snapshot.\n\nConstraints:\n\n  - Can't be null, empty, or blank\n\n  - Must contain from 1 to 255 letters, numbers, or hyphens\n\n  - First character must be a letter\n\n  - Can't end with a hyphen or contain two consecutive hyphens\n\nExample: my-snapshot-id","type":"string"},"tags":{"type":"array","items":{"description":"Metadata assigned to an Amazon RDS resource consisting of a key-value pair.\n\nFor more information, see Tagging Amazon RDS resources (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html)\nin the Amazon RDS User Guide or Tagging Amazon Aurora and Amazon RDS resources\n(https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html)\nin the Amazon Aurora User Guide.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"DBSnapshotStatus defines the observed state of DBSnapshot","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"allocatedStorage":{"description":"Specifies the allocated storage size in gibibytes (GiB).","type":"integer","format":"int64"},"availabilityZone":{"description":"Specifies the name of the Availability Zone the DB instance was located in\nat the time of the DB snapshot.","type":"string"},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"dbiResourceID":{"description":"The identifier for the source DB instance, which can't be changed and which\nis unique to an Amazon Web Services Region.","type":"string"},"encrypted":{"description":"Indicates whether the DB snapshot is encrypted.","type":"boolean"},"engine":{"description":"Specifies the name of the database engine.","type":"string"},"iamDatabaseAuthenticationEnabled":{"description":"Indicates whether mapping of Amazon Web Services Identity and Access Management\n(IAM) accounts to database accounts is enabled.","type":"boolean"},"instanceCreateTime":{"description":"Specifies the time in Coordinated Universal Time (UTC) when the DB instance,\nfrom which the snapshot was taken, was created.","type":"string","format":"date-time"},"iops":{"description":"Specifies the Provisioned IOPS (I/O operations per second) value of the DB\ninstance at the time of the snapshot.","type":"integer","format":"int64"},"kmsKeyID":{"description":"If Encrypted is true, the Amazon Web Services KMS key identifier for the\nencrypted DB snapshot.\n\nThe Amazon Web Services KMS key identifier is the key ARN, key ID, alias\nARN, or alias name for the KMS key.","type":"string"},"licenseModel":{"description":"License model information for the restored DB instance.","type":"string"},"masterUsername":{"description":"Provides the master username for the DB snapshot.","type":"string"},"originalSnapshotCreateTime":{"description":"Specifies the time of the CreateDBSnapshot operation in Coordinated Universal\nTime (UTC). Doesn't change when the snapshot is copied.","type":"string","format":"date-time"},"percentProgress":{"description":"The percentage of the estimated data that has been transferred.","type":"integer","format":"int64"},"port":{"description":"Specifies the port that the database engine was listening on at the time\nof the snapshot.","type":"integer","format":"int64"},"processorFeatures":{"description":"The number of CPU cores and the number of threads per core for the DB instance\nclass of the DB instance when the DB snapshot was created.","type":"array","items":{"description":"Contains the processor features of a DB instance class.\n\nTo specify the number of CPU cores, use the coreCount feature name for the\nName parameter. To specify the number of threads per core, use the threadsPerCore\nfeature name for the Name parameter.\n\nYou can set the processor features of the DB instance class for a DB instance\nwhen you call one of the following actions:\n\n  - CreateDBInstance\n\n  - ModifyDBInstance\n\n  - RestoreDBInstanceFromDBSnapshot\n\n  - RestoreDBInstanceFromS3\n\n  - RestoreDBInstanceToPointInTime\n\nYou can view the valid processor values for a particular instance class by\ncalling the DescribeOrderableDBInstanceOptions action and specifying the\ninstance class for the DBInstanceClass parameter.\n\nIn addition, you can use the following actions for DB instance class processor\ninformation:\n\n  - DescribeDBInstances\n\n  - DescribeDBSnapshots\n\n  - DescribeValidDBInstanceModifications\n\nIf you call DescribeDBInstances, ProcessorFeature returns non-null values\nonly if the following conditions are met:\n\n  - You are accessing an Oracle DB instance.\n\n  - Your Oracle DB instance class supports configuring the number of CPU\n    cores and threads per core.\n\n  - The current number CPU cores and threads is set to a non-default value.\n\nFor more information, see Configuring the processor for a DB instance class\nin RDS for Oracle (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html#USER_ConfigureProcessor)\nin the Amazon RDS User Guide.","type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"snapshotCreateTime":{"description":"Specifies when the snapshot was taken in Coordinated Universal Time (UTC).\nChanges for the copy when the snapshot is copied.","type":"string","format":"date-time"},"snapshotDatabaseTime":{"description":"The timestamp of the most recent transaction applied to the database that\nyou're backing up. Thus, if you restore a snapshot, SnapshotDatabaseTime\nis the most recent transaction in the restored DB instance. In contrast,\noriginalSnapshotCreateTime specifies the system time that the snapshot completed.\n\nIf you back up a read replica, you can determine the replica lag by comparing\nSnapshotDatabaseTime with originalSnapshotCreateTime. For example, if originalSnapshotCreateTime\nis two hours later than SnapshotDatabaseTime, then the replica lag is two\nhours.","type":"string","format":"date-time"},"snapshotTarget":{"description":"Specifies where manual snapshots are stored: Amazon Web Services Outposts\nor the Amazon Web Services Region.","type":"string"},"snapshotType":{"description":"Provides the type of the DB snapshot.","type":"string"},"sourceDBSnapshotIdentifier":{"description":"The DB snapshot Amazon Resource Name (ARN) that the DB snapshot was copied\nfrom. It only has a value in the case of a cross-account or cross-Region\ncopy.","type":"string"},"sourceRegion":{"description":"The Amazon Web Services Region that the DB snapshot was created in or copied\nfrom.","type":"string"},"status":{"description":"Specifies the status of this DB snapshot.","type":"string"},"storageThroughput":{"description":"Specifies the storage throughput for the DB snapshot.","type":"integer","format":"int64"},"storageType":{"description":"Specifies the storage type associated with DB snapshot.","type":"string"},"tagList":{"type":"array","items":{"description":"Metadata assigned to an Amazon RDS resource consisting of a key-value pair.\n\nFor more information, see Tagging Amazon RDS resources (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html)\nin the Amazon RDS User Guide or Tagging Amazon Aurora and Amazon RDS resources\n(https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html)\nin the Amazon Aurora User Guide.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"tdeCredentialARN":{"description":"The ARN from the key store with which to associate the instance for TDE encryption.","type":"string"},"timezone":{"description":"The time zone of the DB snapshot. In most cases, the Timezone element is\nempty. Timezone content appears only for snapshots taken from Microsoft SQL\nServer DB instances that were created with a time zone specified.","type":"string"},"vpcID":{"description":"Provides the VPC ID associated with the DB snapshot.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBSnapshot","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBSnapshot"},"aws.k8s.services.rds.v1alpha1.DBSnapshotList":{"description":"DBSnapshotList is a list of DBSnapshot","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbsnapshots. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.rds.v1alpha1.DBSnapshot"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBSnapshotList","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBSnapshotList"},"aws.k8s.services.rds.v1alpha1.DBSubnetGroup":{"description":"DBSubnetGroup is the Schema for the DBSubnetGroups API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DBSubnetGroupSpec defines the desired state of DBSubnetGroup.\n\nContains the details of an Amazon RDS DB subnet group.\n\nThis data type is used as a response element in the DescribeDBSubnetGroups\naction.","type":"object","required":["description","name"],"properties":{"description":{"description":"The description for the DB subnet group.","type":"string"},"name":{"description":"The name for the DB subnet group. This value is stored as a lowercase string.\n\nConstraints:\n\n  - Must contain no more than 255 letters, numbers, periods, underscores,\n    spaces, or hyphens.\n\n  - Must not be default.\n\n  - First character must be a letter.\n\nExample: mydbsubnetgroup","type":"string"},"subnetIDs":{"description":"The EC2 Subnet IDs for the DB subnet group.","type":"array","items":{"type":"string"}},"subnetRefs":{"type":"array","items":{"description":"AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t  name: my-api","type":"object","properties":{"from":{"description":"AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)","type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}}}}}},"tags":{"description":"Tags to assign to the DB subnet group.","type":"array","items":{"description":"Metadata assigned to an Amazon RDS resource consisting of a key-value pair.\n\nFor more information, see Tagging Amazon RDS resources (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html)\nin the Amazon RDS User Guide or Tagging Amazon Aurora and Amazon RDS resources\n(https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html)\nin the Amazon Aurora User Guide.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"status":{"description":"DBSubnetGroupStatus defines the observed state of DBSubnetGroup","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"subnetGroupStatus":{"description":"Provides the status of the DB subnet group.","type":"string"},"subnets":{"description":"Contains a list of Subnet elements.","type":"array","items":{"description":"This data type is used as a response element for the DescribeDBSubnetGroups\noperation.","type":"object","properties":{"subnetAvailabilityZone":{"description":"Contains Availability Zone information.\n\nThis data type is used as an element in the OrderableDBInstanceOption data\ntype.","type":"object","properties":{"name":{"type":"string"}}},"subnetIdentifier":{"type":"string"},"subnetOutpost":{"description":"A data type that represents an Outpost.\n\nFor more information about RDS on Outposts, see Amazon RDS on Amazon Web\nServices Outposts (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-on-outposts.html)\nin the Amazon RDS User Guide.","type":"object","properties":{"arn":{"type":"string"}}},"subnetStatus":{"type":"string"}}}},"supportedNetworkTypes":{"description":"The network type of the DB subnet group.\n\nValid values:\n\n   * IPV4\n\n   * DUAL\n\nA DBSubnetGroup can support only the IPv4 protocol or the IPv4 and the IPv6\nprotocols (DUAL).\n\nFor more information, see Working with a DB instance in a VPC (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html)\nin the Amazon RDS User Guide.","type":"array","items":{"type":"string"}},"vpcID":{"description":"Provides the VpcId of the DB subnet group.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBSubnetGroup","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBSubnetGroup"},"aws.k8s.services.rds.v1alpha1.DBSubnetGroupList":{"description":"DBSubnetGroupList is a list of DBSubnetGroup","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbsubnetgroups. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.rds.v1alpha1.DBSubnetGroup"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"DBSubnetGroupList","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.DBSubnetGroupList"},"aws.k8s.services.rds.v1alpha1.GlobalCluster":{"description":"GlobalCluster is the Schema for the GlobalClusters API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"GlobalClusterSpec defines the desired state of GlobalCluster.\n\nA data type representing an Aurora global database.","type":"object","properties":{"databaseName":{"description":"The name for your database of up to 64 alphanumeric characters. If you don't\nspecify a name, Amazon Aurora doesn't create a database in the global database\ncluster.\n\nConstraints:\n\n  - Can't be specified if SourceDBClusterIdentifier is specified. In this\n    case, Amazon Aurora uses the database name from the source DB cluster.","type":"string"},"deletionProtection":{"description":"Specifies whether to enable deletion protection for the new global database\ncluster. The global database can't be deleted when deletion protection is\nenabled.","type":"boolean"},"engine":{"description":"The database engine to use for this global database cluster.\n\nValid Values: aurora-mysql | aurora-postgresql\n\nConstraints:\n\n  - Can't be specified if SourceDBClusterIdentifier is specified. In this\n    case, Amazon Aurora uses the engine of the source DB cluster.","type":"string"},"engineVersion":{"description":"The engine version to use for this global database cluster.\n\nConstraints:\n\n  - Can't be specified if SourceDBClusterIdentifier is specified. In this\n    case, Amazon Aurora uses the engine version of the source DB cluster.","type":"string"},"globalClusterIdentifier":{"description":"The cluster identifier for this global database cluster. This parameter is\nstored as a lowercase string.","type":"string"},"sourceDBClusterIdentifier":{"description":"The Amazon Resource Name (ARN) to use as the primary cluster of the global\ndatabase.\n\nIf you provide a value for this parameter, don't specify values for the following\nsettings because Amazon Aurora uses the values from the specified source\nDB cluster:\n\n  - DatabaseName\n\n  - Engine\n\n  - EngineVersion\n\n  - StorageEncrypted","type":"string"},"storageEncrypted":{"description":"Specifies whether to enable storage encryption for the new global database\ncluster.\n\nConstraints:\n\n  - Can't be specified if SourceDBClusterIdentifier is specified. In this\n    case, Amazon Aurora uses the setting from the source DB cluster.","type":"boolean"}}},"status":{"description":"GlobalClusterStatus defines the observed state of GlobalCluster","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"engineLifecycleSupport":{"description":"The life cycle type for the global cluster.\n\nFor more information, see CreateGlobalCluster.","type":"string"},"failoverState":{"description":"A data object containing all properties for the current state of an in-process\nor pending switchover or failover process for this global cluster (Aurora\nglobal database). This object is empty unless the SwitchoverGlobalCluster\nor FailoverGlobalCluster operation was called on this global cluster.","type":"object","properties":{"fromDBClusterARN":{"type":"string"},"status":{"type":"string"},"toDBClusterARN":{"type":"string"}}},"globalClusterMembers":{"description":"The list of primary and secondary clusters within the global database cluster.","type":"array","items":{"description":"A data structure with information about any primary and secondary clusters\nassociated with a global cluster (Aurora global database).","type":"object","properties":{"dbClusterARN":{"type":"string"},"globalWriteForwardingStatus":{"type":"string"},"isWriter":{"type":"boolean"},"readers":{"type":"array","items":{"type":"string"}}}}},"globalClusterResourceID":{"description":"The Amazon Web Services Region-unique, immutable identifier for the global\ndatabase cluster. This identifier is found in Amazon Web Services CloudTrail\nlog entries whenever the Amazon Web Services KMS key for the DB cluster is\naccessed.","type":"string"},"status":{"description":"Specifies the current state of this global database cluster.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"GlobalCluster","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.GlobalCluster"},"aws.k8s.services.rds.v1alpha1.GlobalClusterList":{"description":"GlobalClusterList is a list of GlobalCluster","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of globalclusters. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.rds.v1alpha1.GlobalCluster"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rds.services.k8s.aws","kind":"GlobalClusterList","version":"v1alpha1"}],"title":"aws.k8s.services.rds.v1alpha1.GlobalClusterList"},"aws.k8s.services.s3.v1alpha1.Bucket":{"description":"Bucket is the Schema for the Buckets API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"BucketSpec defines the desired state of Bucket.\n\nIn terms of implementation, a Bucket is a resource.","type":"object","required":["name"],"properties":{"accelerate":{"description":"Container for setting the transfer acceleration state.","type":"object","properties":{"status":{"type":"string"}}},"acl":{"description":"The canned ACL to apply to the bucket.\n\nThis functionality is not supported for directory buckets.","type":"string"},"analytics":{"type":"array","items":{"description":"Specifies the configuration and any analyses for the analytics filter of\nan Amazon S3 bucket.","type":"object","properties":{"filter":{"description":"The filter used to describe a set of objects for analyses. A filter must\nhave exactly one prefix, one tag, or one conjunction (AnalyticsAndOperator).\nIf no filter is provided, all objects will be considered in any analysis.","type":"object","properties":{"and":{"description":"A conjunction (logical AND) of predicates, which is used in evaluating a\nmetrics filter. The operator must have at least two predicates in any combination,\nand an object must match all of the predicates for the filter to apply.","type":"object","properties":{"prefix":{"type":"string"},"tags":{"type":"array","items":{"description":"A container of a key value name pair.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"prefix":{"type":"string"},"tag":{"description":"A container of a key value name pair.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}},"id":{"type":"string"},"storageClassAnalysis":{"description":"Specifies data related to access patterns to be collected and made available\nto analyze the tradeoffs between different storage classes for an Amazon\nS3 bucket.","type":"object","properties":{"dataExport":{"description":"Container for data related to the storage class analysis for an Amazon S3\nbucket for export.","type":"object","properties":{"destination":{"description":"Where to publish the analytics results.","type":"object","properties":{"s3BucketDestination":{"description":"Contains information about where to publish the analytics results.","type":"object","properties":{"bucket":{"type":"string"},"bucketAccountID":{"type":"string"},"format":{"type":"string"},"prefix":{"type":"string"}}}}},"outputSchemaVersion":{"type":"string"}}}}}}}},"cors":{"description":"Describes the cross-origin access configuration for objects in an Amazon\nS3 bucket. For more information, see Enabling Cross-Origin Resource Sharing\n(https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html) in the Amazon\nS3 User Guide.","type":"object","properties":{"corsRules":{"type":"array","items":{"description":"Specifies a cross-origin access rule for an Amazon S3 bucket.","type":"object","properties":{"allowedHeaders":{"type":"array","items":{"type":"string"}},"allowedMethods":{"type":"array","items":{"type":"string"}},"allowedOrigins":{"type":"array","items":{"type":"string"}},"exposeHeaders":{"type":"array","items":{"type":"string"}},"id":{"type":"string"},"maxAgeSeconds":{"type":"integer","format":"int64"}}}}}},"createBucketConfiguration":{"description":"The configuration information for the bucket.","type":"object","properties":{"bucket":{"description":"Specifies the information about the bucket that will be created. For more\ninformation about directory buckets, see Directory buckets (https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html)\nin the Amazon S3 User Guide.\n\nThis functionality is only supported by directory buckets.","type":"object","properties":{"dataRedundancy":{"type":"string"},"type":{"type":"string"}}},"location":{"description":"Specifies the location where the bucket will be created.\n\nFor directory buckets, the location type is Availability Zone or Local Zone.\nFor more information about directory buckets, see Directory buckets (https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html)\nin the Amazon S3 User Guide.\n\nThis functionality is only supported by directory buckets.","type":"object","properties":{"name":{"type":"string"},"type":{"type":"string"}}},"locationConstraint":{"type":"string"}}},"encryption":{"description":"Specifies the default server-side-encryption configuration.","type":"object","properties":{"rules":{"type":"array","items":{"description":"Specifies the default server-side encryption configuration.\n\n  - General purpose buckets - If you're specifying a customer managed KMS\n    key, we recommend using a fully qualified KMS key ARN. If you use a KMS\n    key alias instead, then KMS resolves the key within the requester’s\n    account. This behavior can result in data that's encrypted with a KMS\n    key that belongs to the requester, and not the bucket owner.\n\n  - Directory buckets - When you specify an KMS customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)\n    for encryption in your directory bucket, only use the key ID or key ARN.\n    The key alias format of the KMS key isn't supported.","type":"object","properties":{"applyServerSideEncryptionByDefault":{"description":"Describes the default server-side encryption to apply to new objects in the\nbucket. If a PUT Object request doesn't specify any server-side encryption,\nthis default encryption will be applied. For more information, see PutBucketEncryption\n(https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html).\n\n   * General purpose buckets - If you don't specify a customer managed key\n   at configuration, Amazon S3 automatically creates an Amazon Web Services\n   KMS key (aws/s3) in your Amazon Web Services account the first time that\n   you add an object encrypted with SSE-KMS to a bucket. By default, Amazon\n   S3 uses this KMS key for SSE-KMS.\n\n   * Directory buckets - Your SSE-KMS configuration can only support 1 customer\n   managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)\n   per directory bucket for the lifetime of the bucket. The Amazon Web Services\n   managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk)\n   (aws/s3) isn't supported.\n\n   * Directory buckets - For directory buckets, there are only two supported\n   options for server-side encryption: SSE-S3 and SSE-KMS.","type":"object","properties":{"kmsMasterKeyID":{"type":"string"},"sseAlgorithm":{"type":"string"}}},"bucketKeyEnabled":{"type":"boolean"}}}}}},"grantFullControl":{"description":"Allows grantee the read, write, read ACP, and write ACP permissions on the\nbucket.\n\nThis functionality is not supported for directory buckets.","type":"string"},"grantRead":{"description":"Allows grantee to list the objects in the bucket.\n\nThis functionality is not supported for directory buckets.","type":"string"},"grantReadACP":{"description":"Allows grantee to read the bucket ACL.\n\nThis functionality is not supported for directory buckets.","type":"string"},"grantWrite":{"description":"Allows grantee to create new objects in the bucket.\n\nFor the bucket and object owners of existing objects, also allows deletions\nand overwrites of those objects.\n\nThis functionality is not supported for directory buckets.","type":"string"},"grantWriteACP":{"description":"Allows grantee to write the ACL for the applicable bucket.\n\nThis functionality is not supported for directory buckets.","type":"string"},"intelligentTiering":{"type":"array","items":{"description":"Specifies the S3 Intelligent-Tiering configuration for an Amazon S3 bucket.\n\nFor information about the S3 Intelligent-Tiering storage class, see Storage\nclass for automatically optimizing frequently and infrequently accessed objects\n(https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html#sc-dynamic-data-access).","type":"object","properties":{"filter":{"description":"The Filter is used to identify objects that the S3 Intelligent-Tiering configuration\napplies to.","type":"object","properties":{"and":{"description":"A container for specifying S3 Intelligent-Tiering filters. The filters determine\nthe subset of objects to which the rule applies.","type":"object","properties":{"prefix":{"type":"string"},"tags":{"type":"array","items":{"description":"A container of a key value name pair.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"prefix":{"type":"string"},"tag":{"description":"A container of a key value name pair.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}},"id":{"type":"string"},"status":{"type":"string"},"tierings":{"type":"array","items":{"description":"The S3 Intelligent-Tiering storage class is designed to optimize storage\ncosts by automatically moving data to the most cost-effective storage access\ntier, without additional operational overhead.","type":"object","properties":{"accessTier":{"type":"string"},"days":{"type":"integer","format":"int64"}}}}}}},"inventory":{"type":"array","items":{"description":"Specifies the inventory configuration for an Amazon S3 bucket. For more information,\nsee GET Bucket inventory (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html)\nin the Amazon S3 API Reference.","type":"object","properties":{"destination":{"description":"Specifies the inventory configuration for an Amazon S3 bucket.","type":"object","properties":{"s3BucketDestination":{"description":"Contains the bucket name, file format, bucket owner (optional), and prefix\n(optional) where inventory results are published.","type":"object","properties":{"accountID":{"type":"string"},"bucket":{"type":"string"},"encryption":{"description":"Contains the type of server-side encryption used to encrypt the inventory\nresults.","type":"object","properties":{"sseKMS":{"description":"Specifies the use of SSE-KMS to encrypt delivered inventory reports.","type":"object","properties":{"keyID":{"type":"string"}}}}},"format":{"type":"string"},"prefix":{"type":"string"}}}}},"filter":{"description":"Specifies an inventory filter. The inventory only includes objects that meet\nthe filter's criteria.","type":"object","properties":{"prefix":{"type":"string"}}},"id":{"type":"string"},"includedObjectVersions":{"type":"string"},"isEnabled":{"type":"boolean"},"optionalFields":{"type":"array","items":{"type":"string"}},"schedule":{"description":"Specifies the schedule for generating inventory results.","type":"object","properties":{"frequency":{"type":"string"}}}}}},"lifecycle":{"description":"Container for lifecycle rules. You can add as many as 1,000 rules.","type":"object","properties":{"rules":{"type":"array","items":{"description":"A lifecycle rule for individual objects in an Amazon S3 bucket.\n\nFor more information see, Managing your storage lifecycle (https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html)\nin the Amazon S3 User Guide.","type":"object","properties":{"abortIncompleteMultipartUpload":{"description":"Specifies the days since the initiation of an incomplete multipart upload\nthat Amazon S3 will wait before permanently removing all parts of the upload.\nFor more information, see Aborting Incomplete Multipart Uploads Using a Bucket\nLifecycle Configuration (https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html#mpu-abort-incomplete-mpu-lifecycle-config)\nin the Amazon S3 User Guide.","type":"object","properties":{"daysAfterInitiation":{"type":"integer","format":"int64"}}},"expiration":{"description":"Container for the expiration for the lifecycle of the object.\n\nFor more information see, Managing your storage lifecycle (https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html)\nin the Amazon S3 User Guide.","type":"object","properties":{"date":{"type":"string","format":"date-time"},"days":{"type":"integer","format":"int64"},"expiredObjectDeleteMarker":{"type":"boolean"}}},"filter":{"description":"The Filter is used to identify objects that a Lifecycle Rule applies to.\nA Filter can have exactly one of Prefix, Tag, ObjectSizeGreaterThan, ObjectSizeLessThan,\nor And specified. If the Filter element is left empty, the Lifecycle Rule\napplies to all objects in the bucket.","type":"object","properties":{"and":{"description":"This is used in a Lifecycle Rule Filter to apply a logical AND to two or\nmore predicates. The Lifecycle Rule will apply to any object matching all\nof the predicates configured inside the And operator.","type":"object","properties":{"objectSizeGreaterThan":{"type":"integer","format":"int64"},"objectSizeLessThan":{"type":"integer","format":"int64"},"prefix":{"type":"string"},"tags":{"type":"array","items":{"description":"A container of a key value name pair.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"objectSizeGreaterThan":{"type":"integer","format":"int64"},"objectSizeLessThan":{"type":"integer","format":"int64"},"prefix":{"type":"string"},"tag":{"description":"A container of a key value name pair.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}},"id":{"type":"string"},"noncurrentVersionExpiration":{"description":"Specifies when noncurrent object versions expire. Upon expiration, Amazon\nS3 permanently deletes the noncurrent object versions. You set this lifecycle\nconfiguration action on a bucket that has versioning enabled (or suspended)\nto request that Amazon S3 delete noncurrent object versions at a specific\nperiod in the object's lifetime.\n\nThis parameter applies to general purpose buckets only. It is not supported\nfor directory bucket lifecycle configurations.","type":"object","properties":{"newerNoncurrentVersions":{"type":"integer","format":"int64"},"noncurrentDays":{"type":"integer","format":"int64"}}},"noncurrentVersionTransitions":{"type":"array","items":{"description":"Container for the transition rule that describes when noncurrent objects\ntransition to the STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER_IR,\nGLACIER, or DEEP_ARCHIVE storage class. If your bucket is versioning-enabled\n(or versioning is suspended), you can set this action to request that Amazon\nS3 transition noncurrent object versions to the STANDARD_IA, ONEZONE_IA,\nINTELLIGENT_TIERING, GLACIER_IR, GLACIER, or DEEP_ARCHIVE storage class at\na specific period in the object's lifetime.","type":"object","properties":{"newerNoncurrentVersions":{"type":"integer","format":"int64"},"noncurrentDays":{"type":"integer","format":"int64"},"storageClass":{"type":"string"}}}},"prefix":{"type":"string"},"status":{"type":"string"},"transitions":{"type":"array","items":{"description":"Specifies when an object transitions to a specified storage class. For more\ninformation about Amazon S3 lifecycle configuration rules, see Transitioning\nObjects Using Amazon S3 Lifecycle (https://docs.aws.amazon.com/AmazonS3/latest/dev/lifecycle-transition-general-considerations.html)\nin the Amazon S3 User Guide.","type":"object","properties":{"date":{"type":"string","format":"date-time"},"days":{"type":"integer","format":"int64"},"storageClass":{"type":"string"}}}}}}}}},"logging":{"description":"Container for logging status information.","type":"object","properties":{"loggingEnabled":{"description":"Describes where logs are stored and the prefix that Amazon S3 assigns to\nall log object keys for a bucket. For more information, see PUT Bucket logging\n(https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTlogging.html)\nin the Amazon S3 API Reference.","type":"object","properties":{"targetBucket":{"type":"string"},"targetGrants":{"type":"array","items":{"description":"Container for granting information.\n\nBuckets that use the bucket owner enforced setting for Object Ownership don't\nsupport target grants. For more information, see Permissions server access\nlog delivery (https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html#grant-log-delivery-permissions-general)\nin the Amazon S3 User Guide.","type":"object","properties":{"grantee":{"description":"Container for the person being granted permissions.","type":"object","properties":{"displayName":{"type":"string"},"emailAddress":{"type":"string"},"id":{"type":"string"},"type_":{"type":"string"},"uRI":{"type":"string"}}},"permission":{"type":"string"}}}},"targetPrefix":{"type":"string"}}}}},"metrics":{"type":"array","items":{"description":"Specifies a metrics configuration for the CloudWatch request metrics (specified\nby the metrics configuration ID) from an Amazon S3 bucket. If you're updating\nan existing metrics configuration, note that this is a full replacement of\nthe existing metrics configuration. If you don't include the elements you\nwant to keep, they are erased. For more information, see PutBucketMetricsConfiguration\n(https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html).","type":"object","properties":{"filter":{"description":"Specifies a metrics configuration filter. The metrics configuration only\nincludes objects that meet the filter's criteria. A filter must be a prefix,\nan object tag, an access point ARN, or a conjunction (MetricsAndOperator).\nFor more information, see PutBucketMetricsConfiguration (https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketMetricsConfiguration.html).","type":"object","properties":{"accessPointARN":{"type":"string"},"and":{"description":"A conjunction (logical AND) of predicates, which is used in evaluating a\nmetrics filter. The operator must have at least two predicates, and an object\nmust match all of the predicates in order for the filter to apply.","type":"object","properties":{"accessPointARN":{"type":"string"},"prefix":{"type":"string"},"tags":{"type":"array","items":{"description":"A container of a key value name pair.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"prefix":{"type":"string"},"tag":{"description":"A container of a key value name pair.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}},"id":{"type":"string"}}}},"name":{"description":"The name of the bucket to create.\n\nGeneral purpose buckets - For information about bucket naming restrictions,\nsee Bucket naming rules (https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html)\nin the Amazon S3 User Guide.\n\nDirectory buckets - When you use this operation with a directory bucket,\nyou must use path-style requests in the format https://s3express-control.region-code.amazonaws.com/bucket-name\n. Virtual-hosted-style requests aren't supported. Directory bucket names\nmust be unique in the chosen Zone (Availability Zone or Local Zone). Bucket\nnames must also follow the format bucket-base-name--zone-id--x-s3 (for example,\nDOC-EXAMPLE-BUCKET--usw2-az1--x-s3). For information about bucket naming\nrestrictions, see Directory bucket naming rules (https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html)\nin the Amazon S3 User Guide","type":"string","x-kubernetes-validations":[{"message":"Value is immutable once set","rule":"self == oldSelf"}]},"notification":{"description":"A container for specifying the notification configuration of the bucket.\nIf this element is empty, notifications are turned off for the bucket.","type":"object","properties":{"lambdaFunctionConfigurations":{"type":"array","items":{"description":"A container for specifying the configuration for Lambda notifications.","type":"object","properties":{"events":{"type":"array","items":{"type":"string"}},"filter":{"description":"Specifies object key name filtering rules. For information about key name\nfiltering, see Configuring event notifications using object key name filtering\n(https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-filtering.html)\nin the Amazon S3 User Guide.","type":"object","properties":{"key":{"description":"A container for object key name prefix and suffix filtering rules.","type":"object","properties":{"filterRules":{"description":"A list of containers for the key-value pair that defines the criteria for\nthe filter rule.","type":"array","items":{"description":"Specifies the Amazon S3 object key name to filter on. An object key name\nis the name assigned to an object in your Amazon S3 bucket. You specify whether\nto filter on the suffix or prefix of the object key name. A prefix is a specific\nstring of characters at the beginning of an object key name, which you can\nuse to organize objects. For example, you can start the key names of related\nobjects with a prefix, such as 2023- or engineering/. Then, you can use FilterRule\nto find objects in a bucket with key names that have the same prefix. A suffix\nis similar to a prefix, but it is at the end of the object key name instead\nof at the beginning.","type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}}}}}},"id":{"description":"An optional unique identifier for configurations in a notification configuration.\nIf you don't provide one, Amazon S3 will assign an ID.","type":"string"},"lambdaFunctionARN":{"type":"string"}}}},"queueConfigurations":{"type":"array","items":{"description":"Specifies the configuration for publishing messages to an Amazon Simple Queue\nService (Amazon SQS) queue when Amazon S3 detects specified events.","type":"object","properties":{"events":{"type":"array","items":{"type":"string"}},"filter":{"description":"Specifies object key name filtering rules. For information about key name\nfiltering, see Configuring event notifications using object key name filtering\n(https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-filtering.html)\nin the Amazon S3 User Guide.","type":"object","properties":{"key":{"description":"A container for object key name prefix and suffix filtering rules.","type":"object","properties":{"filterRules":{"description":"A list of containers for the key-value pair that defines the criteria for\nthe filter rule.","type":"array","items":{"description":"Specifies the Amazon S3 object key name to filter on. An object key name\nis the name assigned to an object in your Amazon S3 bucket. You specify whether\nto filter on the suffix or prefix of the object key name. A prefix is a specific\nstring of characters at the beginning of an object key name, which you can\nuse to organize objects. For example, you can start the key names of related\nobjects with a prefix, such as 2023- or engineering/. Then, you can use FilterRule\nto find objects in a bucket with key names that have the same prefix. A suffix\nis similar to a prefix, but it is at the end of the object key name instead\nof at the beginning.","type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}}}}}},"id":{"description":"An optional unique identifier for configurations in a notification configuration.\nIf you don't provide one, Amazon S3 will assign an ID.","type":"string"},"queueARN":{"type":"string"}}}},"topicConfigurations":{"type":"array","items":{"description":"A container for specifying the configuration for publication of messages\nto an Amazon Simple Notification Service (Amazon SNS) topic when Amazon S3\ndetects specified events.","type":"object","properties":{"events":{"type":"array","items":{"type":"string"}},"filter":{"description":"Specifies object key name filtering rules. For information about key name\nfiltering, see Configuring event notifications using object key name filtering\n(https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-filtering.html)\nin the Amazon S3 User Guide.","type":"object","properties":{"key":{"description":"A container for object key name prefix and suffix filtering rules.","type":"object","properties":{"filterRules":{"description":"A list of containers for the key-value pair that defines the criteria for\nthe filter rule.","type":"array","items":{"description":"Specifies the Amazon S3 object key name to filter on. An object key name\nis the name assigned to an object in your Amazon S3 bucket. You specify whether\nto filter on the suffix or prefix of the object key name. A prefix is a specific\nstring of characters at the beginning of an object key name, which you can\nuse to organize objects. For example, you can start the key names of related\nobjects with a prefix, such as 2023- or engineering/. Then, you can use FilterRule\nto find objects in a bucket with key names that have the same prefix. A suffix\nis similar to a prefix, but it is at the end of the object key name instead\nof at the beginning.","type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}}}}}},"id":{"description":"An optional unique identifier for configurations in a notification configuration.\nIf you don't provide one, Amazon S3 will assign an ID.","type":"string"},"topicARN":{"type":"string"}}}}}},"objectLockEnabledForBucket":{"description":"Specifies whether you want S3 Object Lock to be enabled for the new bucket.\n\nThis functionality is not supported for directory buckets.","type":"boolean"},"objectOwnership":{"type":"string"},"ownershipControls":{"description":"The OwnershipControls (BucketOwnerEnforced, BucketOwnerPreferred, or ObjectWriter)\nthat you want to apply to this Amazon S3 bucket.","type":"object","properties":{"rules":{"type":"array","items":{"description":"The container element for an ownership control rule.","type":"object","properties":{"objectOwnership":{"description":"The container element for object ownership for a bucket's ownership controls.\n\nBucketOwnerPreferred - Objects uploaded to the bucket change ownership to\nthe bucket owner if the objects are uploaded with the bucket-owner-full-control\ncanned ACL.\n\nObjectWriter - The uploading account will own the object if the object is\nuploaded with the bucket-owner-full-control canned ACL.\n\nBucketOwnerEnforced - Access control lists (ACLs) are disabled and no longer\naffect permissions. The bucket owner automatically owns and has full control\nover every object in the bucket. The bucket only accepts PUT requests that\ndon't specify an ACL or specify bucket owner full control ACLs (such as the\npredefined bucket-owner-full-control canned ACL or a custom ACL in XML format\nthat grants the same permissions).\n\nBy default, ObjectOwnership is set to BucketOwnerEnforced and ACLs are disabled.\nWe recommend keeping ACLs disabled, except in uncommon use cases where you\nmust control access for each object individually. For more information about\nS3 Object Ownership, see Controlling ownership of objects and disabling ACLs\nfor your bucket (https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html)\nin the Amazon S3 User Guide.\n\nThis functionality is not supported for directory buckets. Directory buckets\nuse the bucket owner enforced setting for S3 Object Ownership.","type":"string"}}}}}},"policy":{"description":"The bucket policy as a JSON document.\n\nFor directory buckets, the only IAM action supported in the bucket policy\nis s3express:CreateSession.","type":"string"},"publicAccessBlock":{"description":"The PublicAccessBlock configuration that you want to apply to this Amazon\nS3 bucket. You can enable the configuration options in any combination. For\nmore information about when Amazon S3 considers a bucket or object public,\nsee The Meaning of \"Public\" (https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status)\nin the Amazon S3 User Guide.","type":"object","properties":{"blockPublicACLs":{"type":"boolean"},"blockPublicPolicy":{"type":"boolean"},"ignorePublicACLs":{"type":"boolean"},"restrictPublicBuckets":{"type":"boolean"}}},"replication":{"description":"A container for replication rules. You can add up to 1,000 rules. The maximum\nsize of a replication configuration is 2 MB.","type":"object","properties":{"role":{"type":"string"},"rules":{"type":"array","items":{"description":"Specifies which Amazon S3 objects to replicate and where to store the replicas.","type":"object","properties":{"deleteMarkerReplication":{"description":"Specifies whether Amazon S3 replicates delete markers. If you specify a Filter\nin your replication configuration, you must also include a DeleteMarkerReplication\nelement. If your Filter includes a Tag element, the DeleteMarkerReplication\nStatus must be set to Disabled, because Amazon S3 does not support replicating\ndelete markers for tag-based rules. For an example configuration, see Basic\nRule Configuration (https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-config-min-rule-config).\n\nFor more information about delete marker replication, see Basic Rule Configuration\n(https://docs.aws.amazon.com/AmazonS3/latest/dev/delete-marker-replication.html).\n\nIf you are using an earlier version of the replication configuration, Amazon\nS3 handles replication of delete markers differently. For more information,\nsee Backward Compatibility (https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-backward-compat-considerations).","type":"object","properties":{"status":{"type":"string"}}},"destination":{"description":"Specifies information about where to publish analysis or configuration results\nfor an Amazon S3 bucket and S3 Replication Time Control (S3 RTC).","type":"object","properties":{"accessControlTranslation":{"description":"A container for information about access control for replicas.","type":"object","properties":{"owner":{"type":"string"}}},"account":{"type":"string"},"bucket":{"type":"string"},"encryptionConfiguration":{"description":"Specifies encryption-related information for an Amazon S3 bucket that is\na destination for replicated objects.\n\nIf you're specifying a customer managed KMS key, we recommend using a fully\nqualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves\nthe key within the requester’s account. This behavior can result in data\nthat's encrypted with a KMS key that belongs to the requester, and not the\nbucket owner.","type":"object","properties":{"replicaKMSKeyID":{"type":"string"}}},"metrics":{"description":"A container specifying replication metrics-related settings enabling replication\nmetrics and events.","type":"object","properties":{"eventThreshold":{"description":"A container specifying the time value for S3 Replication Time Control (S3\nRTC) and replication metrics EventThreshold.","type":"object","properties":{"minutes":{"type":"integer","format":"int64"}}},"status":{"type":"string"}}},"replicationTime":{"description":"A container specifying S3 Replication Time Control (S3 RTC) related information,\nincluding whether S3 RTC is enabled and the time when all objects and operations\non objects must be replicated. Must be specified together with a Metrics\nblock.","type":"object","properties":{"status":{"type":"string"},"time":{"description":"A container specifying the time value for S3 Replication Time Control (S3\nRTC) and replication metrics EventThreshold.","type":"object","properties":{"minutes":{"type":"integer","format":"int64"}}}}},"storageClass":{"type":"string"}}},"existingObjectReplication":{"description":"Optional configuration to replicate existing source bucket objects.\n\nThis parameter is no longer supported. To replicate existing objects, see\nReplicating existing objects with S3 Batch Replication (https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-batch-replication-batch.html)\nin the Amazon S3 User Guide.","type":"object","properties":{"status":{"type":"string"}}},"filter":{"description":"A filter that identifies the subset of objects to which the replication rule\napplies. A Filter must specify exactly one Prefix, Tag, or an And child element.","type":"object","properties":{"and":{"description":"A container for specifying rule filters. The filters determine the subset\nof objects to which the rule applies. This element is required only if you\nspecify more than one filter.\n\nFor example:\n\n   * If you specify both a Prefix and a Tag filter, wrap these filters in\n   an And tag.\n\n   * If you specify a filter based on multiple tags, wrap the Tag elements\n   in an And tag.","type":"object","properties":{"prefix":{"type":"string"},"tags":{"type":"array","items":{"description":"A container of a key value name pair.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"prefix":{"type":"string"},"tag":{"description":"A container of a key value name pair.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}},"id":{"type":"string"},"prefix":{"type":"string"},"priority":{"type":"integer","format":"int64"},"sourceSelectionCriteria":{"description":"A container that describes additional filters for identifying the source\nobjects that you want to replicate. You can choose to enable or disable the\nreplication of these objects. Currently, Amazon S3 supports only the filter\nthat you can specify for objects created with server-side encryption using\na customer managed key stored in Amazon Web Services Key Management Service\n(SSE-KMS).","type":"object","properties":{"replicaModifications":{"description":"A filter that you can specify for selection for modifications on replicas.\nAmazon S3 doesn't replicate replica modifications by default. In the latest\nversion of replication configuration (when Filter is specified), you can\nspecify this element and set the status to Enabled to replicate modifications\non replicas.\n\nIf you don't specify the Filter element, Amazon S3 assumes that the replication\nconfiguration is the earlier version, V1. In the earlier version, this element\nis not allowed.","type":"object","properties":{"status":{"type":"string"}}},"sseKMSEncryptedObjects":{"description":"A container for filter information for the selection of S3 objects encrypted\nwith Amazon Web Services KMS.","type":"object","properties":{"status":{"type":"string"}}}}},"status":{"type":"string"}}}}}},"requestPayment":{"description":"Container for Payer.","type":"object","properties":{"payer":{"type":"string"}}},"tagging":{"description":"Container for the TagSet and Tag elements.","type":"object","properties":{"tagSet":{"type":"array","items":{"description":"A container of a key value name pair.","type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"versioning":{"description":"Container for setting the versioning state.","type":"object","properties":{"status":{"type":"string"}}},"website":{"description":"Container for the request.","type":"object","properties":{"errorDocument":{"description":"The error information.","type":"object","properties":{"key":{"type":"string"}}},"indexDocument":{"description":"Container for the Suffix element.","type":"object","properties":{"suffix":{"type":"string"}}},"redirectAllRequestsTo":{"description":"Specifies the redirect behavior of all requests to a website endpoint of\nan Amazon S3 bucket.","type":"object","properties":{"hostName":{"type":"string"},"protocol":{"type":"string"}}},"routingRules":{"type":"array","items":{"description":"Specifies the redirect behavior and when a redirect is applied. For more\ninformation about routing rules, see Configuring advanced conditional redirects\n(https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-page-redirect.html#advanced-conditional-redirects)\nin the Amazon S3 User Guide.","type":"object","properties":{"condition":{"description":"A container for describing a condition that must be met for the specified\nredirect to apply. For example, 1. If request is for pages in the /docs folder,\nredirect to the /documents folder. 2. If request results in HTTP error 4xx,\nredirect request to another host where you might process the error.","type":"object","properties":{"httpErrorCodeReturnedEquals":{"type":"string"},"keyPrefixEquals":{"type":"string"}}},"redirect":{"description":"Specifies how requests are redirected. In the event of an error, you can\nspecify a different error code to return.","type":"object","properties":{"hostName":{"type":"string"},"httpRedirectCode":{"type":"string"},"protocol":{"type":"string"},"replaceKeyPrefixWith":{"type":"string"},"replaceKeyWith":{"type":"string"}}}}}}}}}},"status":{"description":"BucketStatus defines the observed state of Bucket","type":"object","properties":{"ackResourceMetadata":{"description":"All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource","type":"object","required":["ownerAccountID","region"],"properties":{"arn":{"description":"ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270","type":"string"},"ownerAccountID":{"description":"OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.","type":"string"},"region":{"description":"Region is the AWS region in which the resource exists or will exist.","type":"string"}}},"conditions":{"description":"All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}},"location":{"description":"A forward slash followed by the name of the bucket.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"s3.services.k8s.aws","kind":"Bucket","version":"v1alpha1"}],"title":"aws.k8s.services.s3.v1alpha1.Bucket"},"aws.k8s.services.s3.v1alpha1.BucketList":{"description":"BucketList is a list of Bucket","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of buckets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.s3.v1alpha1.Bucket"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"s3.services.k8s.aws","kind":"BucketList","version":"v1alpha1"}],"title":"aws.k8s.services.s3.v1alpha1.BucketList"},"aws.k8s.services.v1alpha1.AdoptedResource":{"description":"AdoptedResource is the schema for the AdoptedResource API.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"AdoptedResourceSpec defines the desired state of the AdoptedResource.","type":"object","required":["aws","kubernetes"],"properties":{"aws":{"description":"AWSIdentifiers provide all unique ways to reference an AWS resource.","type":"object","properties":{"additionalKeys":{"description":"AdditionalKeys represents any additional arbitrary identifiers used when\ndescribing the target resource.","type":"object","additionalProperties":{"type":"string"}},"arn":{"description":"ARN is the AWS Resource Name for the resource. It is a globally\nunique identifier.","type":"string"},"nameOrID":{"description":"NameOrId is a user-supplied string identifier for the resource. It may\nor may not be globally unique, depending on the type of resource.","type":"string"}}},"kubernetes":{"description":"ResourceWithMetadata provides the values necessary to create a\nKubernetes resource and override any of its metadata values.","type":"object","required":["group","kind"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"metadata":{"description":"ObjectMeta is metadata that all persisted resources must have, which includes all objects\nusers must create.\nIt is not possible to use `metav1.ObjectMeta` inside spec, as the controller-gen\nautomatically converts this to an arbitrary string-string map.\nhttps://github.com/kubernetes-sigs/controller-tools/issues/385\n\nActive discussion about inclusion of this field in the spec is happening in this PR:\nhttps://github.com/kubernetes-sigs/controller-tools/pull/395\n\nUntil this is allowed, or if it never is, we will produce a subset of the object meta\nthat contains only the fields which the user is allowed to modify in the metadata.","type":"object","properties":{"annotations":{"description":"Annotations is an unstructured key value map stored with a resource that may be\nset by external tools to store and retrieve arbitrary metadata. They are not\nqueryable and should be preserved when modifying objects.\nMore info: http://kubernetes.io/docs/user-guide/annotations","type":"object","additionalProperties":{"type":"string"}},"generateName":{"description":"GenerateName is an optional prefix, used by the server, to generate a unique\nname ONLY IF the Name field has not been provided.\nIf this field is used, the name returned to the client will be different\nthan the name passed. This value will also be combined with a unique suffix.\nThe provided value has the same validation rules as the Name field,\nand may be truncated by the length of the suffix required to make the value\nunique on the server.\n\nIf this field is specified and the generated name exists, the server will\nNOT return a 409 - instead, it will either return 201 Created or 500 with Reason\nServerTimeout indicating a unique name could not be found in the time allotted, and the client\nshould retry (optionally after the time indicated in the Retry-After header).\n\nApplied only if Name is not specified.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency","type":"string"},"labels":{"description":"Map of string keys and values that can be used to organize and categorize\n(scope and select) objects. May match selectors of replication controllers\nand services.\nMore info: http://kubernetes.io/docs/user-guide/labels","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: http://kubernetes.io/docs/user-guide/identifiers#names","type":"string"},"namespace":{"description":"Namespace defines the space within each name must be unique. An empty namespace is\nequivalent to the \"default\" namespace, but \"default\" is the canonical representation.\nNot all objects are required to be scoped to a namespace - the value of this field for\nthose objects will be empty.\n\nMust be a DNS_LABEL.\nCannot be updated.\nMore info: http://kubernetes.io/docs/user-guide/namespaces","type":"string"},"ownerReferences":{"description":"List of objects depended by this object. If ALL objects in the list have\nbeen deleted, this object will be garbage collected. If this object is managed by a controller,\nthen an entry in this list will point to this controller, with the controller field set to true.\nThere cannot be more than one managing controller.","type":"array","items":{"description":"OwnerReference contains enough information to let you identify an owning\nobject. An owning object must be in the same namespace as the dependent, or\nbe cluster-scoped, so there is no namespace field.","type":"object","required":["apiVersion","kind","name","uid"],"properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"blockOwnerDeletion":{"description":"If true, AND if the owner has the \"foregroundDeletion\" finalizer, then\nthe owner cannot be deleted from the key-value store until this\nreference is removed.\nSee https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion\nfor how the garbage collector interacts with this field and enforces the foreground deletion.\nDefaults to false.\nTo set this field, a user needs \"delete\" permission of the owner,\notherwise 422 (Unprocessable Entity) will be returned.","type":"boolean"},"controller":{"description":"If true, this reference points to the managing controller.","type":"boolean"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}}},"status":{"description":"AdoptedResourceStatus defines the observed status of the AdoptedResource.","type":"object","required":["conditions"],"properties":{"conditions":{"description":"A collection of `ackv1alpha1.Condition` objects that describe the various\nterminal states of the adopted resource CR and its target custom resource","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"services.k8s.aws","kind":"AdoptedResource","version":"v1alpha1"}],"title":"aws.k8s.services.v1alpha1.AdoptedResource"},"aws.k8s.services.v1alpha1.AdoptedResourceList":{"description":"AdoptedResourceList is a list of AdoptedResource","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of adoptedresources. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.v1alpha1.AdoptedResource"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"services.k8s.aws","kind":"AdoptedResourceList","version":"v1alpha1"}],"title":"aws.k8s.services.v1alpha1.AdoptedResourceList"},"aws.k8s.services.v1alpha1.FieldExport":{"description":"FieldExport is the schema for the FieldExport API.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"FieldExportSpec defines the desired state of the FieldExport.","type":"object","required":["from","to"],"properties":{"from":{"description":"ResourceFieldSelector provides the values necessary to identify an individual\nfield on an individual K8s resource.","type":"object","required":["path","resource"],"properties":{"path":{"type":"string"},"resource":{"description":"NamespacedResource provides all the values necessary to identify an ACK\nresource of a given type (within the same namespace as the custom resource\ncontaining this type).","type":"object","required":["group","kind","name"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}}}}},"to":{"description":"FieldExportTarget provides the values necessary to identify the\noutput path for a field export.","type":"object","required":["kind","name"],"properties":{"key":{"description":"Key overrides the default value (`<namespace>.<FieldExport-resource-name>`) for the FieldExport target","type":"string"},"kind":{"description":"FieldExportOutputType represents all types that can be produced by a field\nexport operation","type":"string","enum":["configmap","secret"]},"name":{"type":"string"},"namespace":{"description":"Namespace is marked as optional, so we cannot compose `NamespacedName`","type":"string"}}}}},"status":{"description":"FieldExportStatus defines the observed status of the FieldExport.","type":"object","required":["conditions"],"properties":{"conditions":{"description":"A collection of `ackv1alpha1.Condition` objects that describe the various\nrecoverable states of the field CR","type":"array","items":{"description":"Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states  of the CR and its backend AWS\nservice API resource","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the Condition","type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"services.k8s.aws","kind":"FieldExport","version":"v1alpha1"}],"title":"aws.k8s.services.v1alpha1.FieldExport"},"aws.k8s.services.v1alpha1.FieldExportList":{"description":"FieldExportList is a list of FieldExport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of fieldexports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.v1alpha1.FieldExport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"services.k8s.aws","kind":"FieldExportList","version":"v1alpha1"}],"title":"aws.k8s.services.v1alpha1.FieldExportList"},"aws.k8s.services.v1alpha1.IAMRoleSelector":{"description":"IAMRoleSelector is the schema for the IAMRoleSelector API.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["arn"],"properties":{"arn":{"type":"string","x-kubernetes-validations":[{"message":"Value is immutable once set","rule":"self == oldSelf"}]},"namespaceSelector":{"description":"IAMRoleSelectorSpec defines the desired state of IAMRoleSelector","type":"object","required":["names"],"properties":{"labelSelector":{"description":"LabelSelector is a label query over a set of resources.","type":"object","required":["matchLabels"],"properties":{"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"names":{"type":"array","items":{"type":"string"}}}},"resourceLabelSelector":{"description":"LabelSelector is a label query over a set of resources.","type":"object","required":["matchLabels"],"properties":{"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"resourceTypeSelector":{"type":"array","items":{"type":"object","required":["group","kind","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"version":{"type":"string"}}}}}},"status":{"type":"object"}},"x-kubernetes-group-version-kind":[{"group":"services.k8s.aws","kind":"IAMRoleSelector","version":"v1alpha1"}],"title":"aws.k8s.services.v1alpha1.IAMRoleSelector"},"aws.k8s.services.v1alpha1.IAMRoleSelectorList":{"description":"IAMRoleSelectorList is a list of IAMRoleSelector","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of iamroleselectors. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.services.v1alpha1.IAMRoleSelector"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"services.k8s.aws","kind":"IAMRoleSelectorList","version":"v1alpha1"}],"title":"aws.k8s.services.v1alpha1.IAMRoleSelectorList"},"aws.k8s.vpcresources.v1alpha1.CNINode":{"type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Important: Run \"make\" to regenerate code after modifying this file\nCNINodeSpec defines the desired state of CNINode","type":"object","properties":{"features":{"type":"array","items":{"description":"Feature is a type of feature being supported by VPC resource controller and other AWS Services","type":"object","properties":{"name":{"description":"FeatureName is a type of feature name supported by AWS VPC CNI. It can be Security Group for Pods, custom networking, or others","type":"string"},"value":{"type":"string"}}}},"tags":{"description":"Additional tag key/value added to all network interfaces provisioned by the vpc-resource-controller and VPC-CNI","type":"object","additionalProperties":{"type":"string"}}}},"status":{"description":"CNINodeStatus defines the managed VPC resources.","type":"object"}},"x-kubernetes-group-version-kind":[{"group":"vpcresources.k8s.aws","kind":"CNINode","version":"v1alpha1"}],"title":"aws.k8s.vpcresources.v1alpha1.CNINode"},"aws.k8s.vpcresources.v1alpha1.CNINodeList":{"description":"CNINodeList is a list of CNINode","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of cninodes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.vpcresources.v1alpha1.CNINode"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"vpcresources.k8s.aws","kind":"CNINodeList","version":"v1alpha1"}],"title":"aws.k8s.vpcresources.v1alpha1.CNINodeList"},"aws.k8s.vpcresources.v1beta1.SecurityGroupPolicy":{"description":"Custom Resource Definition for applying security groups to pods","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"SecurityGroupPolicySpec defines the desired state of SecurityGroupPolicy","type":"object","properties":{"podSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"securityGroups":{"description":"GroupIds contains the list of security groups that will be applied to the network interface of the pod matching the criteria.","type":"object","properties":{"groupIds":{"description":"Groups is the list of EC2 Security Groups Ids that need to be applied to the ENI of a Pod.","type":"array","minItems":1,"items":{"type":"string"}}}},"serviceAccountSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}}},"x-kubernetes-group-version-kind":[{"group":"vpcresources.k8s.aws","kind":"SecurityGroupPolicy","version":"v1beta1"}],"title":"aws.k8s.vpcresources.v1beta1.SecurityGroupPolicy"},"aws.k8s.vpcresources.v1beta1.SecurityGroupPolicyList":{"description":"SecurityGroupPolicyList is a list of SecurityGroupPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of securitygrouppolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/aws.k8s.vpcresources.v1beta1.SecurityGroupPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"vpcresources.k8s.aws","kind":"SecurityGroupPolicyList","version":"v1beta1"}],"title":"aws.k8s.vpcresources.v1beta1.SecurityGroupPolicyList"},"com.amazonaws.eks.metrics.v1.ETCD":{"description":"ETCD","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"$ref":"#/definitions/com.amazonaws.eks.metrics.v1.ETCDSpec"},"status":{"$ref":"#/definitions/com.amazonaws.eks.metrics.v1.ETCDStatus"}},"x-kubernetes-group-version-kind":[{"group":"metrics.eks.amazonaws.com","kind":"ETCD","version":"v1"}],"title":"com.amazonaws.eks.metrics.v1.ETCD"},"com.amazonaws.eks.metrics.v1.ETCDSpec":{"description":"ETCDSpec defines the desired state of ETCD","type":"object","title":"com.amazonaws.eks.metrics.v1.ETCDSpec"},"com.amazonaws.eks.metrics.v1.ETCDStatus":{"description":"ETCDStatus defines the observed state of ETCD","type":"object","title":"com.amazonaws.eks.metrics.v1.ETCDStatus"},"com.amazonaws.eks.metrics.v1.KCM":{"description":"KCM","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"$ref":"#/definitions/com.amazonaws.eks.metrics.v1.KCMSpec"},"status":{"$ref":"#/definitions/com.amazonaws.eks.metrics.v1.KCMStatus"}},"x-kubernetes-group-version-kind":[{"group":"metrics.eks.amazonaws.com","kind":"KCM","version":"v1"}],"title":"com.amazonaws.eks.metrics.v1.KCM"},"com.amazonaws.eks.metrics.v1.KCMSpec":{"description":"KCMSpec defines the desired state of KCM","type":"object","title":"com.amazonaws.eks.metrics.v1.KCMSpec"},"com.amazonaws.eks.metrics.v1.KCMStatus":{"description":"KCMStatus defines the observed state of KCM","type":"object","title":"com.amazonaws.eks.metrics.v1.KCMStatus"},"com.amazonaws.eks.metrics.v1.KSH":{"description":"KSH","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"$ref":"#/definitions/com.amazonaws.eks.metrics.v1.KSHSpec"},"status":{"$ref":"#/definitions/com.amazonaws.eks.metrics.v1.KSHStatus"}},"x-kubernetes-group-version-kind":[{"group":"metrics.eks.amazonaws.com","kind":"KSH","version":"v1"}],"title":"com.amazonaws.eks.metrics.v1.KSH"},"com.amazonaws.eks.metrics.v1.KSHSpec":{"description":"KSHSpec defines the desired state of KSH","type":"object","title":"com.amazonaws.eks.metrics.v1.KSHSpec"},"com.amazonaws.eks.metrics.v1.KSHStatus":{"description":"KSHStatus defines the observed state of KSH","type":"object","title":"com.amazonaws.eks.metrics.v1.KSHStatus"},"com.amazonaws.eks.v1.IngressClassParams":{"description":"IngressClassParams is the Schema for the IngressClassParams API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"IngressClassParamsSpec defines the desired state of IngressClassParams","type":"object","properties":{"certificateARNs":{"description":"CertificateARNs specifies ARNs of the certificates for all Ingresses that belong to IngressClass with this IngressClassParams.","type":"array","items":{"type":"string"}},"group":{"description":"Group defines the IngressGroup for all Ingresses that belong to IngressClass with this IngressClassParams.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the name of IngressGroup.","type":"string","maxLength":63,"minLength":1,"pattern":"^([a-z0-9][-a-z0-9.]*)?[a-z0-9]$"}}},"inboundCIDRs":{"description":"InboundCIDRs specifies the CIDRs that are allowed to access the Ingresses that belong to IngressClass with this IngressClassParams.","type":"array","items":{"type":"string"}},"ipAddressType":{"description":"IPAddressType defines the ip address type for all Ingresses that belong to IngressClass with this IngressClassParams.","type":"string","enum":["ipv4","dualstack","dualstack-without-public-ipv4"]},"listeners":{"description":"Listeners define a list of listeners with their protocol, port and attributes.","type":"array","items":{"description":"Listener defines listeners settings for load balancers","type":"object","required":["port","protocol"],"properties":{"attributes":{"description":"The attributes of the listener","type":"array","items":{"description":"ListenerAttribute defines attributes on listeners","type":"object","required":["key","value"],"properties":{"key":{"description":"The key of the attribute.","type":"string","maxLength":256,"minLength":1},"value":{"description":"The value of the attribute.","type":"string","maxLength":1024,"minLength":0}}}},"port":{"description":"The port of the listener","type":"integer","format":"int32","maximum":65535,"minimum":1},"protocol":{"description":"The protocol of the listener","type":"string","enum":["HTTP","HTTPS"]}}}},"loadBalancerAttributes":{"description":"LoadBalancerAttributes define the custom attributes to LoadBalancers for all Ingress that belong to IngressClass with this IngressClassParams.","type":"array","items":{"description":"LoadBalancerAttribute defines attributes on load balancer","type":"object","required":["key","value"],"properties":{"key":{"description":"The key of the attribute.","type":"string","maxLength":256,"minLength":1},"value":{"description":"The value of the attribute.","type":"string","maxLength":1024,"minLength":0}}}},"namespaceSelector":{"description":"NamespaceSelector restrict the namespaces of Ingresses that are allowed to specify the IngressClass with this IngressClassParams.\nIf absent or present but empty, it selects all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"scheme":{"description":"Scheme defines the scheme for all Ingresses that belong to IngressClass with this IngressClassParams.","type":"string","enum":["internal","internet-facing"]},"sslPolicy":{"description":"SSLPolicy specifies the SSL Policy for all Ingresses that belong to IngressClass with this IngressClassParams.","type":"string"},"subnets":{"description":"Subnets defines the subnets for all Ingresses that belong to IngressClass with this IngressClassParams.","type":"object","properties":{"ids":{"description":"ids specify the resource IDs of subnets within the load balancer's VPC\nMust specify exactly one of `ids` or `matchTags`\"","type":"array","items":{"type":"string","pattern":"^subnet-[0-9a-f]+$"}},"matchTags":{"description":"matchTags specify the tag requirements of subnets within the load balancer's VPC.\nMust specify exactly one of `ids` or `matchTags`\"","type":"array","items":{"description":"TagSelectorRequirement is the tag requirement to select subnets by tags","type":"object","required":["key"],"properties":{"key":{"description":"key is the tag key that the selector applies to.","type":"string","maxLength":128,"minLength":1},"values":{"description":"values is an array of string values.","type":"array","items":{"type":"string"}}}}}}},"tags":{"description":"Tags defines list of Tags on AWS resources provisioned for Ingresses that belong to IngressClass with this IngressClassParams.","type":"array","items":{"description":"Tag defines an AWS Tag assigned to resources.","type":"object","required":["key","value"],"properties":{"key":{"description":"The key of the tag.","type":"string","maxLength":128,"minLength":1},"value":{"description":"The value of the tag.","type":"string","maxLength":256,"minLength":0}}}}}}},"x-kubernetes-group-version-kind":[{"group":"eks.amazonaws.com","kind":"IngressClassParams","version":"v1"}],"title":"com.amazonaws.eks.v1.IngressClassParams"},"com.amazonaws.eks.v1.IngressClassParamsList":{"description":"IngressClassParamsList is a list of IngressClassParams","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ingressclassparams. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.amazonaws.eks.v1.IngressClassParams"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"eks.amazonaws.com","kind":"IngressClassParamsList","version":"v1"}],"title":"com.amazonaws.eks.v1.IngressClassParamsList"},"com.amazonaws.eks.v1.NodeClass":{"description":"NodeClass is the Schema for the NodeClass API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"NodeClassSpec is the top level specification for the AWS Karpenter Provider.\nThis will contain configuration necessary to launch instances in AWS.","type":"object","required":["securityGroupSelectorTerms","subnetSelectorTerms"],"properties":{"advancedNetworking":{"description":"AdvancedNetworking enables the configuration of custom networking settings for Auto nodes, such as HTTP/HTTPS proxies and no-proxy rules.\nThis is useful in environments with restricted internet access or specific routing requirements, allowing nodes to communicate through proxies\nor bypass certain hosts and networks.","type":"object","properties":{"associatePublicIPAddress":{"description":"AssociatePublicIPAddress controls whether public IP addresses are assigned to instances that are launched with the nodeclass.","type":"boolean"},"enableV4Egress":{"description":"EnableV4Egress: When set to true or not set, enables IPv4 egress traffic from the Auto nodes in IPv6 cluster.","type":"boolean"},"enableV6Egress":{"description":"EnableV6Egress: When set to true, enables IPv6 egress traffic from the Auto nodes in IPv4 cluster.","type":"boolean"},"httpsProxy":{"description":"HttpsProxy: The URL of the HTTPS proxy to use for outbound traffic from the Auto nodes.","type":"string","maxLength":2048,"pattern":"^[0-9a-zA-Z./:@#%&_=?,\\-\\[\\]]+$"},"ipv4PrefixSize":{"description":"IPv4PrefixSize controls size of cidr range that nodes derived from the nodeclass.","type":"string","enum":["32","Auto"]},"noProxy":{"description":"A list of URLs that should be excluded from going through the HTTPS proxy. (max 50 entries)","type":"array","maxItems":50,"items":{"type":"string","maxLength":2048,"pattern":"^[0-9a-zA-Z./:@#%&_=?,\\-\\[\\]]+$"}}}},"advancedSecurity":{"description":"AdvancedSecurity allows configuring more complex security options for Auto nodes, for example if nodes shoulds use FIPS-compliant AMIs.","type":"object","properties":{"fips":{"description":"FIPS controls whether AMIs should use FIPS-compliant cryptographic libraries.","type":"boolean"},"kernelLockdown":{"description":"KernelLockdown controls the kernel lockdown setting.","type":"string","enum":["Integrity","None"]}}},"capacityReservationSelectorTerms":{"description":"CapacityReservationSelectorTerms is a list of capacity reservation selector terms. Each term is ORed together to\ndetermine the set of eligible capacity reservations.","type":"array","maxItems":30,"items":{"type":"object","properties":{"id":{"description":"ID is the capacity reservation id in EC2","type":"string","pattern":"^cr-[0-9a-z]+$"},"ownerID":{"description":"Owner is the owner id for the capacity reservation.","type":"string","pattern":"^[0-9]{12}$"},"tags":{"description":"Tags is a map of key/value tags used to select capacity reservations.\nSpecifying '*' for a value selects all values for a given tag key.","type":"object","maxProperties":20,"additionalProperties":{"type":"string"},"x-kubernetes-validations":[{"message":"empty tag keys or values aren't supported","rule":"self.all(k, k != '' && self[k] != '')"}]}}},"x-kubernetes-validations":[{"message":"expected at least one, got none, ['tags', 'id']","rule":"self.all(x, has(x.tags) || has(x.id))"},{"message":"'id' is mutually exclusive, cannot be set along with tags in a capacity reservation selector term","rule":"!self.all(x, has(x.id) && (has(x.tags) || has(x.ownerID)))"}]},"certificateBundles":{"description":"Optional: Provide custom certificate bundles to Auto Mode nodes","type":"array","maxItems":50,"items":{"description":"Certificate bundles for the Auto Mode nodes","type":"object","required":["data"],"properties":{"data":{"description":"(Required) Base64-encoded, PEM formatted certificate","type":"string","pattern":"^[A-Za-z0-9+=\\/]+$"},"name":{"description":"(Optional) A name for the certificate bundle","type":"string","maxLength":64,"pattern":"^[a-z-]+$"}}},"x-kubernetes-validations":[{"message":"certificateBundles cannot be empty","rule":"self.size() != 0"},{"message":"expected 'data'","rule":"self.all(x, has(x.data))"},{"message":"name must be unique across certificateBundles","rule":"self.all(x, !has(x.name) || self.filter(y, y.name == x.name && has(y.name)).size() == 1)"}]},"ephemeralStorage":{"description":"EphemeralStorage specifies the default data volume storage attached to the node","type":"object","properties":{"iops":{"description":"The IOPS for ephemeral storage","type":"integer","format":"int64","maximum":16000,"minimum":3000},"kmsKeyID":{"description":"The key ID, key alias, key ARN, or alias ARN of the KMS Key to use\nfor EBS encryption","type":"string","pattern":"(^[A-z0-9-_\\/]{1,256}$)|(^(arn:(aws|aws-us-gov|aws-cn):kms:[a-z0-9-]+:\\d{12}:(key|alias))\\/[0-9A-Za-z-]{1,256}$)|(^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$)"},"size":{"description":"The size of the ephemeral storage","type":"string","pattern":"^((?:[1-9][0-9]{0,3}|[1-4][0-9]{4}|[5][0-8][0-9]{3}|59000)Gi|(?:[1-9][0-9]{0,3}|[1-5][0-9]{4}|[6][0-3][0-9]{3}|64000)G|([1-9]||[1-5][0-7]|58)Ti|([1-9]||[1-5][0-9]|6[0-3]|64)T)$"},"throughput":{"description":"The throughput for ephemeral storage","type":"integer","format":"int64","maximum":1000,"minimum":125}}},"instanceProfile":{"description":"InstanceProfile is the AWS entity that instances use.\nThis field is mutually exclusive from role.\nThe instance profile should already have a role assigned to it that Karpenter\nhas PassRole permission on for instance launch using this instanceProfile to succeed.","type":"string","x-kubernetes-validations":[{"message":"instanceProfile cannot be empty","rule":"self != ''"}]},"networkPolicy":{"description":"NetworkPolicy tells the network policy agent how it should enforce network policies against pods\nBy default, the Amazon VPC CNI plugin for Kubernetes configures network policies for pods in parallel with the pod provisioning\nIn the DefaultAllow mode, until all of the policies are configured for the new pod, containers in the new pod will start with a default allow policy.\nA default allow policy means that all ingress and egress traffic is allowed to and from the new pods\nIn the DefaultDeny mode, a new pod will be blocked from Egress and Ingress connections till a qualifying Network Policy is applied\nIn this mode, you must have a network policy defined for every pod in your cluster. Host Networking pods are exempted from this requirement.","type":"string","enum":["DefaultAllow","DefaultDeny"]},"networkPolicyEventLogs":{"description":"NetworkPolicyEventLogs controls whether Network Policy event logging is enabled on the nodes.\nBy default, this value is set to Disabled. When set to Enabled, the Network Policy Agent on the node will log the outcomes of network policy decisions.","type":"string","enum":["Enabled","Disabled"]},"podSecurityGroupSelectorTerms":{"description":"PodSecurityGroupSelectorTerms is a list of security group selector terms. The terms are ORed.","type":"array","maxItems":30,"items":{"description":"SecurityGroupSelectorTerm defines selection logic for a security group used by Karpenter to launch nodes.\nIf multiple fields are used for selection, the requirements are ANDed.","type":"object","properties":{"id":{"description":"ID is the security group id in EC2","type":"string","pattern":"sg-[0-9a-z]+"},"name":{"description":"Name is the security group name in EC2.\nThis value is the name field, which is different from the name tag.","type":"string"},"tags":{"description":"Tags is a map of key/value tags used to select subnets\nSpecifying '*' for a value selects all values for a given tag key.","type":"object","maxProperties":20,"additionalProperties":{"type":"string"},"x-kubernetes-validations":[{"message":"empty tag keys or values aren't supported","rule":"self.all(k, k != '' && self[k] != '')"}]}}},"x-kubernetes-validations":[{"message":"podSecurityGroupSelectorTerms cannot be empty","rule":"self.size() != 0"},{"message":"expected at least one, got none, ['tags', 'id', 'name']","rule":"self.all(x, has(x.tags) || has(x.id) || has(x.name))"},{"message":"'id' is mutually exclusive, cannot be set with a combination of other fields in podSecurityGroupSelectorTerms","rule":"!self.all(x, has(x.id) && (has(x.tags) || has(x.name)))"},{"message":"'name' is mutually exclusive, cannot be set with a combination of other fields in podSecurityGroupSelectorTerms","rule":"!self.all(x, has(x.name) && (has(x.tags) || has(x.id)))"}]},"podSubnetSelectorTerms":{"description":"PodSubnetSelectorTerms is a list of subnet selector terms. The terms are ORed.","type":"array","maxItems":30,"items":{"description":"SubnetSelectorTerm defines selection logic for a subnet used by Karpenter to launch nodes.\nIf multiple fields are used for selection, the requirements are ANDed.","type":"object","properties":{"id":{"description":"ID is the subnet id in EC2","type":"string","pattern":"subnet-[0-9a-z]+"},"tags":{"description":"Tags is a map of key/value tags used to select subnets\nSpecifying '*' for a value selects all values for a given tag key.","type":"object","maxProperties":20,"additionalProperties":{"type":"string"},"x-kubernetes-validations":[{"message":"empty tag keys or values aren't supported","rule":"self.all(k, k != '' && self[k] != '')"}]}}},"x-kubernetes-validations":[{"message":"podSubnetSelectorTerms cannot be empty","rule":"self.size() != 0"},{"message":"expected at least one, got none, ['tags', 'id']","rule":"self.all(x, has(x.tags) || has(x.id))"},{"message":"'id' is mutually exclusive, cannot be set with a combination of other fields in podSubnetSelectorTerms","rule":"!self.all(x, has(x.id) && has(x.tags))"}]},"role":{"description":"Role is the AWS identity that nodes use. This field is immutable.\nThis field is mutually exclusive from instanceProfile.\nMarking this field as immutable avoids concerns around terminating managed instance profiles from running instances.\nThis field may be made mutable in the future, assuming the correct garbage collection and drift handling is implemented\nfor the old instance profiles on an update.","type":"string","maxLength":64,"x-kubernetes-validations":[{"message":"role cannot be empty","rule":"self != ''"},{"message":"immutable field changed","rule":"self == oldSelf"}]},"securityGroupSelectorTerms":{"description":"SecurityGroupSelectorTerms is a list of or security group selector terms. The terms are ORed.","type":"array","maxItems":30,"items":{"description":"SecurityGroupSelectorTerm defines selection logic for a security group used by Karpenter to launch nodes.\nIf multiple fields are used for selection, the requirements are ANDed.","type":"object","properties":{"id":{"description":"ID is the security group id in EC2","type":"string","pattern":"sg-[0-9a-z]+"},"name":{"description":"Name is the security group name in EC2.\nThis value is the name field, which is different from the name tag.","type":"string"},"tags":{"description":"Tags is a map of key/value tags used to select subnets\nSpecifying '*' for a value selects all values for a given tag key.","type":"object","maxProperties":20,"additionalProperties":{"type":"string"},"x-kubernetes-validations":[{"message":"empty tag keys or values aren't supported","rule":"self.all(k, k != '' && self[k] != '')"}]}}},"x-kubernetes-validations":[{"message":"securityGroupSelectorTerms cannot be empty","rule":"self.size() != 0"},{"message":"expected at least one, got none, ['tags', 'id', 'name']","rule":"self.all(x, has(x.tags) || has(x.id) || has(x.name))"},{"message":"'id' is mutually exclusive, cannot be set with a combination of other fields in securityGroupSelectorTerms","rule":"!self.all(x, has(x.id) && (has(x.tags) || has(x.name)))"},{"message":"'name' is mutually exclusive, cannot be set with a combination of other fields in securityGroupSelectorTerms","rule":"!self.all(x, has(x.name) && (has(x.tags) || has(x.id)))"}]},"snatPolicy":{"description":"SNATPolicy specifies how SNAT (Source Network Address Translation) is configured on the node\nIf SNATPolicy is set to Disabled, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied\nDo not use SNATPolicy Disabled if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs,\nand your pods do not need to access the Internet directly via an Internet Gateway.\nIf SNATPolicy is set to Random, the CNI will use PRNG, meaning that --random-fully will be added to the SNAT iptables rule\nEnabling this functionality means that outbound connections will be assigned a source port that is not necessarily part of the ephemeral port range set at the OS level","type":"string","enum":["Random","Disabled"]},"subnetSelectorTerms":{"description":"SubnetSelectorTerms is a list of or subnet selector terms. The terms are ORed.","type":"array","maxItems":30,"items":{"description":"SubnetSelectorTerm defines selection logic for a subnet used by Karpenter to launch nodes.\nIf multiple fields are used for selection, the requirements are ANDed.","type":"object","properties":{"id":{"description":"ID is the subnet id in EC2","type":"string","pattern":"subnet-[0-9a-z]+"},"tags":{"description":"Tags is a map of key/value tags used to select subnets\nSpecifying '*' for a value selects all values for a given tag key.","type":"object","maxProperties":20,"additionalProperties":{"type":"string"},"x-kubernetes-validations":[{"message":"empty tag keys or values aren't supported","rule":"self.all(k, k != '' && self[k] != '')"}]}}},"x-kubernetes-validations":[{"message":"subnetSelectorTerms cannot be empty","rule":"self.size() != 0"},{"message":"expected at least one, got none, ['tags', 'id']","rule":"self.all(x, has(x.tags) || has(x.id))"},{"message":"'id' is mutually exclusive, cannot be set with a combination of other fields in subnetSelectorTerms","rule":"!self.all(x, has(x.id) && has(x.tags))"}]},"tags":{"description":"Tags to be applied on ec2 resources like instances and launch templates.","type":"object","additionalProperties":{"type":"string"},"x-kubernetes-validations":[{"message":"empty tag keys aren't supported","rule":"self.all(k, k != '')"},{"message":"tag contains a restricted tag matching kubernetes.io/cluster/","rule":"self.all(k, !k.startsWith('kubernetes.io/cluster') )"},{"message":"tag contains a restricted tag matching karpenter.sh/provisioner-name","rule":"self.all(k, k != 'karpenter.sh/provisioner-name')"},{"message":"tag contains a restricted tag matching karpenter.sh/nodepool","rule":"self.all(k, k != 'karpenter.sh/nodepool')"},{"message":"tag contains a restricted tag matching karpenter.sh/nodeclaim","rule":"self.all(k, k != 'karpenter.sh/nodeclaim')"},{"message":"tag contains a restricted tag matching karpenter.sh/managed-by","rule":"self.all(k, k !='karpenter.sh/managed-by')"},{"message":"tag contains a restricted tag matching eks.amazonaws.com/nodeclass","rule":"self.all(k, k !='eks.amazonaws.com/nodeclass')"}]}},"x-kubernetes-validations":[{"message":"exactly one of role OR instanceProfile must be provided","rule":"[has(self.role),has(self.instanceProfile)].filter(x, x == true).size() == 1"},{"message":"podSecurityGroupSelectorTerms cannot be empty when podSubnetSelectorTerms is specified","rule":"!has(self.podSubnetSelectorTerms) || has(self.podSecurityGroupSelectorTerms)"},{"message":"podSubnetSelectorTerms cannot be empty when podSecurityGroupSelectorTerms is specified","rule":"!has(self.podSecurityGroupSelectorTerms) || has(self.podSubnetSelectorTerms)"}]},"status":{"description":"NodeClassStatus contains the resolved state of the EKSNodeClass","type":"object","properties":{"capacityReservations":{"description":"CapacityReservations contains the current capacity reservation values that are available to this NodeClass under the\nCapacityReservation selectors.","type":"array","items":{"type":"object","required":["availabilityZone","id","instanceMatchCriteria","instanceType","ownerID"],"properties":{"availabilityZone":{"description":"The availability zone the capacity reservation is available in.","type":"string"},"endTime":{"description":"The time at which the capacity reservation expires. Once expired, the reserved capacity is released and Karpenter\nwill no longer be able to launch instances into that reservation.","type":"string","format":"date-time"},"id":{"description":"The id for the capacity reservation.","type":"string","pattern":"^cr-[0-9a-z]+$"},"instanceMatchCriteria":{"description":"Indicates the type of instance launches the capacity reservation accepts.","type":"string","enum":["open","targeted"]},"instanceType":{"description":"The instance type for the capacity reservation.","type":"string"},"ownerID":{"description":"The ID of the AWS account that owns the capacity reservation.","type":"string","pattern":"^[0-9]{12}$"},"reservationType":{"description":"The type of capacity reservation.","type":"string","enum":["default","capacity-block"]},"state":{"description":"The state of the capacity reservation. A capacity reservation is considered to be expiring if it is within the EC2\nreclaimation window. Only capacity-block reservations may be in this state.","type":"string","enum":["active","expiring"]}}}},"conditions":{"type":"array","items":{"description":"Condition aliases the upstream type and adds additional helper methods","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"instanceProfile":{"description":"InstanceProfile contains the resolved instance profile for the role","type":"string"},"securityGroups":{"description":"SecurityGroups contains the current Security Groups values that are available to the\ncluster under the SecurityGroups selectors.","type":"array","items":{"description":"SecurityGroup contains resolved SecurityGroup selector values utilized for node launch","type":"object","required":["id"],"properties":{"id":{"description":"ID of the security group","type":"string"},"name":{"description":"Name of the security group","type":"string"}}}},"subnets":{"description":"Subnets contains the current Subnet values that are available to the\ncluster under the subnet selectors.","type":"array","items":{"description":"Subnet contains resolved Subnet selector values utilized for node launch","type":"object","required":["id","zone"],"properties":{"id":{"description":"ID of the subnet","type":"string"},"zone":{"description":"The associated availability zone","type":"string"},"zoneID":{"description":"The associated availability zone ID","type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"eks.amazonaws.com","kind":"NodeClass","version":"v1"}],"title":"com.amazonaws.eks.v1.NodeClass"},"com.amazonaws.eks.v1.NodeClassList":{"description":"NodeClassList is a list of NodeClass","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of nodeclasses. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.amazonaws.eks.v1.NodeClass"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"eks.amazonaws.com","kind":"NodeClassList","version":"v1"}],"title":"com.amazonaws.eks.v1.NodeClassList"},"com.amazonaws.eks.v1.TargetGroupBinding":{"description":"TargetGroupBinding is the Schema for the TargetGroupBinding API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"TargetGroupBindingSpec defines the desired state of TargetGroupBinding","type":"object","required":["serviceRef","targetGroupARN","targetType"],"properties":{"networking":{"description":"networking defines the networking rules to allow ELBv2 LoadBalancer to access targets in TargetGroup.","type":"object","required":["ingress"],"properties":{"ingress":{"description":"List of ingress rules to allow ELBv2 LoadBalancer to access targets in TargetGroup.","type":"array","minItems":1,"items":{"description":"NetworkingIngressRule defines a particular set of traffic that is allowed to access TargetGroup's targets.","type":"object","required":["from"],"properties":{"from":{"description":"List of peers which should be able to access the targets in TargetGroup.\nAt least one NetworkingPeer should be specified.","type":"array","minItems":1,"items":{"description":"NetworkingPeer defines the source/destination peer for networking rules.","type":"object","properties":{"securityGroup":{"description":"SecurityGroup defines a SecurityGroup peer.\nIf specified, none of the other fields can be set.","type":"object","required":["groupID"],"properties":{"groupID":{"description":"GroupID is the EC2 SecurityGroupID.","type":"string","minLength":1}}}}}},"ports":{"description":"List of ports which should be made accessible on the targets in TargetGroup.\nIf ports is empty or unspecified, it defaults to all ports with TCP.","type":"array","items":{"description":"NetworkingPort defines the port and protocol for networking rules.","type":"object","properties":{"port":{"description":"The port which traffic must match.\nWhen NodePort endpoints(instance TargetType) is used, this must be a numerical port.\nWhen Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods.\nif port is unspecified, it defaults to all ports.","x-kubernetes-int-or-string":true},"protocol":{"description":"The protocol which traffic must match.\nIf protocol is unspecified, it defaults to TCP.","type":"string","enum":["TCP","UDP"]}}}}}}}}},"nodeSelector":{"description":"node selector for instance type target groups to only register certain nodes","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"serviceRef":{"description":"serviceRef is a reference to a Kubernetes Service and ServicePort.","type":"object","required":["name","port"],"properties":{"name":{"description":"Name is the name of the Service.","type":"string","minLength":1},"port":{"description":"Port is the port of the ServicePort.","x-kubernetes-int-or-string":true}}},"targetGroupARN":{"description":"targetGroupARN is the Amazon Resource Name (ARN) for the TargetGroup.","type":"string","minLength":1},"targetType":{"description":"targetType defines how to bind targets into targetGroup.","type":"string","enum":["instance","ip"]}}},"status":{"description":"TargetGroupBindingStatus defines the observed state of TargetGroupBinding","type":"object","properties":{"observedGeneration":{"description":"The generation observed by the TargetGroupBinding controller.","type":"integer","format":"int64"}}}},"x-kubernetes-group-version-kind":[{"group":"eks.amazonaws.com","kind":"TargetGroupBinding","version":"v1"}],"title":"com.amazonaws.eks.v1.TargetGroupBinding"},"com.amazonaws.eks.v1.TargetGroupBindingList":{"description":"TargetGroupBindingList is a list of TargetGroupBinding","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of targetgroupbindings. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.amazonaws.eks.v1.TargetGroupBinding"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"eks.amazonaws.com","kind":"TargetGroupBindingList","version":"v1"}],"title":"com.amazonaws.eks.v1.TargetGroupBindingList"},"com.amazonaws.eks.v1alpha1.CNINode":{"description":"CNINode is the Schema for the cninodes API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"CNINodeSpec defines the desired state of CNINode","type":"object","required":["instanceID","instanceType","ipAllocationStrategy","ipFamily","ipv4AddressesPerInterface","maximumNetworkCards","maximumNetworkInterfaces","networkPolicy","primaryIPv4","primaryNetworkInterfaceID","snatPolicy","vpcID"],"properties":{"availabilityZone":{"type":"string"},"enableV4Egress":{"type":"boolean"},"enableV6Egress":{"type":"boolean"},"instanceID":{"type":"string","minLength":1},"instanceType":{"type":"string","minLength":1},"ipAllocationStrategy":{"type":"string","minLength":1},"ipFamily":{"description":"IPFamily represents the IP Family (IPv4 or IPv6). This type is used\nto express the family of an IP expressed by a type (e.g. service.spec.ipFamilies).","type":"string","enum":["IPv4","IPv6"]},"ipv4AddressesPerInterface":{"type":"integer","format":"int32","minimum":1},"ipv4PrefixSize":{"type":"string","enum":["32","Auto"]},"maximumNetworkCards":{"type":"integer","format":"int32","minimum":1},"maximumNetworkInterfaces":{"type":"integer","format":"int32","minimum":1},"networkPolicy":{"type":"string","enum":["DefaultAllow","DefaultDeny"]},"networkPolicyEventLogs":{"type":"string","enum":["Enabled","Disabled"]},"podSecurityGroupIDs":{"type":"array","items":{"type":"string"}},"primaryIPv4":{"type":"string","minLength":1},"primaryIPv6":{"type":"string"},"primaryNetworkInterfaceID":{"type":"string","minLength":1},"securityGroupIDs":{"type":"array","items":{"type":"string"}},"snatPolicy":{"type":"string","enum":["Random","Disabled"]},"subnetMode":{"type":"string"},"vpcID":{"type":"string","minLength":1}}},"status":{"type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition aliases the upstream type and adds additional helper methods","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"networkInterfaces":{"type":"array","items":{"type":"object","required":["attachmentId","deviceIndex","id","macAddress","networkCardIndex","primaryV4CIDR","subnetId","subnetV4CIDR","v4CIDRs"],"properties":{"attachmentId":{"type":"string","minLength":1},"cidrsToRelease":{"type":"array","items":{"type":"string"}},"deviceIndex":{"type":"integer","format":"int32","minimum":0},"id":{"type":"string","minLength":1},"macAddress":{"type":"string","minLength":1},"networkCardIndex":{"type":"integer","format":"int32","minimum":0},"primaryV4CIDR":{"type":"string","minLength":1},"primaryV6CIDR":{"type":"string"},"subnetId":{"type":"string","minLength":1},"subnetV4CIDR":{"type":"string","minLength":1},"subnetV6CIDRs":{"type":"array","items":{"type":"string"}},"unusedCIDRs":{"type":"array","items":{"type":"object","required":["cidrs","unusedTimestamp"],"properties":{"cidrs":{"type":"array","items":{"type":"string"}},"unusedTimestamp":{"type":"string","format":"date-time"}}}},"v4CIDRs":{"type":"array","minItems":1,"items":{"type":"string"}},"v6CIDRs":{"type":"array","items":{"type":"string"}}}}},"podSubnetIDs":{"type":"array","items":{"type":"string"}},"subnetIDs":{"type":"array","items":{"type":"string"}},"vpcCIDRs":{"type":"array","items":{"type":"string"}},"vpcV6CIDRs":{"type":"array","items":{"type":"string"}}}}},"x-kubernetes-group-version-kind":[{"group":"eks.amazonaws.com","kind":"CNINode","version":"v1alpha1"}],"title":"com.amazonaws.eks.v1alpha1.CNINode"},"com.amazonaws.eks.v1alpha1.CNINodeList":{"description":"CNINodeList is a list of CNINode","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of cninodes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.amazonaws.eks.v1alpha1.CNINode"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"eks.amazonaws.com","kind":"CNINodeList","version":"v1alpha1"}],"title":"com.amazonaws.eks.v1alpha1.CNINodeList"},"com.amazonaws.eks.v1alpha1.NodeDiagnostic":{"description":"The name of the NodeDiagnostic resource is meant to match the name of the\nnode which should perform the diagnostic tasks","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","properties":{"logCapture":{"description":"LogCapture is a definition for a diagnostic task that will package relevant\nlogs and stats into a tarball and deliver it to a provided destination.","type":"object","required":["destination"],"properties":{"categories":{"description":"Categories are log source groups for the LogCapture task.","type":"array","items":{"description":"LogCategory is a grouping of log sources to read from when performing a\nLogCapture task.","type":"string","enum":["Base","Device","Networking","Runtime","System","All"]}},"destination":{"description":"UploadDestination is a URL describing where to deliver a diagnostic artifact.","type":"string"}}}}},"status":{"type":"object","properties":{"captureStatuses":{"type":"array","items":{"description":"CaptureStatus describes the type and state of a capture task.","type":"object","required":["state","type"],"properties":{"state":{"type":"object","properties":{"completed":{"type":"object","required":["finishedAt","message","reason","startedAt"],"properties":{"finishedAt":{"type":"string","format":"date-time"},"message":{"type":"string"},"reason":{"type":"string"},"startedAt":{"type":"string","format":"date-time"}}},"running":{"type":"object","required":["startedAt"],"properties":{"startedAt":{"type":"string","format":"date-time"}}}}},"type":{"description":"The set of diagnostic tasks supported by the NodeDiagnostic resource.","type":"string"}}}},"conditions":{"type":"array","items":{"description":"Condition aliases the upstream type and adds additional helper methods","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"eks.amazonaws.com","kind":"NodeDiagnostic","version":"v1alpha1"}],"title":"com.amazonaws.eks.v1alpha1.NodeDiagnostic"},"com.amazonaws.eks.v1alpha1.NodeDiagnosticList":{"description":"NodeDiagnosticList is a list of NodeDiagnostic","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of nodediagnostics. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.amazonaws.eks.v1alpha1.NodeDiagnostic"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"eks.amazonaws.com","kind":"NodeDiagnosticList","version":"v1alpha1"}],"title":"com.amazonaws.eks.v1alpha1.NodeDiagnosticList"},"com.amazonaws.k8s.crd.v1alpha1.ENIConfig":{"type":"object","x-kubernetes-group-version-kind":[{"group":"crd.k8s.amazonaws.com","kind":"ENIConfig","version":"v1alpha1"}],"title":"com.amazonaws.k8s.crd.v1alpha1.ENIConfig"},"com.amazonaws.k8s.crd.v1alpha1.ENIConfigList":{"description":"ENIConfigList is a list of ENIConfig","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of eniconfigs. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.amazonaws.k8s.crd.v1alpha1.ENIConfig"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"crd.k8s.amazonaws.com","kind":"ENIConfigList","version":"v1alpha1"}],"title":"com.amazonaws.k8s.crd.v1alpha1.ENIConfigList"},"com.aws.csi.s3.v2.MountpointS3PodAttachment":{"description":"MountpointS3PodAttachment is the Schema for the mountpoints3podattachments API.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"MountpointS3PodAttachmentSpec defines the desired state of MountpointS3PodAttachment.","type":"object","required":["authenticationSource","mountOptions","mountpointS3PodAttachments","nodeName","persistentVolumeName","volumeID","workloadFSGroup"],"properties":{"authenticationSource":{"description":"Authentication source taken from volume attribute field `authenticationSource`.","type":"string"},"mountOptions":{"description":"Comma separated mount options taken from volume.","type":"string"},"mountpointS3PodAttachments":{"description":"Maps each Mountpoint S3 pod name to its workload attachments","type":"object","additionalProperties":{"type":"array","items":{"description":"WorkloadAttachment represents the attachment details of a workload pod to a Mountpoint S3 pod.","type":"object","required":["attachmentTime","workloadPodUID"],"properties":{"attachmentTime":{"description":"AttachmentTime represents when the workload pod was attached to the Mountpoint S3 pod","type":"string","format":"date-time"},"workloadPodUID":{"description":"WorkloadPodUID is the unique identifier of the attached workload pod","type":"string"}}}}},"nodeName":{"description":"Name of the node.","type":"string"},"persistentVolumeName":{"description":"Name of the Persistent Volume.","type":"string"},"volumeID":{"description":"Volume ID.","type":"string"},"workloadFSGroup":{"description":"Workload pod's `fsGroup` from pod security context","type":"string"},"workloadNamespace":{"description":"Workload pod's namespace. Exists only if `authenticationSource: pod`.","type":"string"},"workloadServiceAccountIAMRoleARN":{"description":"EKS IAM Role ARN from workload pod's service account annotation (IRSA). Exists only if `authenticationSource: pod` and service account has `eks.amazonaws.com/role-arn` annotation.","type":"string"},"workloadServiceAccountName":{"description":"Workload pod's service account name. Exists only if `authenticationSource: pod`.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"s3.csi.aws.com","kind":"MountpointS3PodAttachment","version":"v2"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.nodeName"}],"title":"com.aws.csi.s3.v2.MountpointS3PodAttachment"},"com.aws.csi.s3.v2.MountpointS3PodAttachmentList":{"description":"MountpointS3PodAttachmentList is a list of MountpointS3PodAttachment","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of mountpoints3podattachments. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.aws.csi.s3.v2.MountpointS3PodAttachment"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"s3.csi.aws.com","kind":"MountpointS3PodAttachmentList","version":"v2"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.nodeName"}],"title":"com.aws.csi.s3.v2.MountpointS3PodAttachmentList"},"com.coreos.monitoring.v1.Alertmanager":{"description":"The `Alertmanager` custom resource definition (CRD) defines a desired [Alertmanager](https://prometheus.io/docs/alerting) setup to run in a Kubernetes cluster. It allows to specify many options such as the number of replicas, persistent storage and many more.\n\nFor each `Alertmanager` resource, the Operator deploys a `StatefulSet` in the same namespace. When there are two or more configured replicas, the Operator runs the Alertmanager instances in high-availability mode.\n\nThe resource defines via label and namespace selectors which `AlertmanagerConfig` objects should be associated to the deployed Alertmanager instances.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the specification of the desired behavior of the Alertmanager cluster. More info:\nhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"additionalArgs":{"description":"additionalArgs allows setting additional arguments for the 'Alertmanager' container.\nIt is intended for e.g. activating hidden flags which are not supported by\nthe dedicated configuration options yet. The arguments are passed as-is to the\nAlertmanager container which may cause issues if they are invalid or not supported\nby the given Alertmanager version.","type":"array","items":{"description":"Argument as part of the AdditionalArgs list.","type":"object","required":["name"],"properties":{"name":{"description":"name of the argument, e.g. \"scrape.discovery-reload-interval\".","type":"string","minLength":1},"value":{"description":"value defines the argument value, e.g. 30s. Can be empty for name-only arguments (e.g. --storage.tsdb.no-lockfile)","type":"string"}}}},"additionalPeers":{"description":"additionalPeers allows injecting a set of additional Alertmanagers to peer with to form a highly available cluster.","type":"array","items":{"type":"string"}},"affinity":{"description":"affinity defines the pod's scheduling constraints.","type":"object","properties":{"nodeAffinity":{"description":"Describes node affinity scheduling rules for the pod.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node matches the corresponding matchExpressions; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"An empty preferred scheduling term matches all objects with implicit weight 0\n(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).","type":"object","required":["preference","weight"],"properties":{"preference":{"description":"A node selector term, associated with the corresponding weight.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"description":"Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to an update), the system\nmay or may not try to eventually evict the pod from its node.","type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"description":"Required. A list of node selector terms. The terms are ORed.","type":"array","items":{"description":"A null or empty node selector term matches no objects. The requirements of\nthem are ANDed.\nThe TopologySelectorTerm type implements a subset of the NodeSelectorTerm.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"description":"Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"description":"Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe anti-affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling anti-affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and subtracting\n\"weight\" from the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the anti-affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the anti-affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"alertmanagerConfigMatcherStrategy":{"description":"alertmanagerConfigMatcherStrategy defines how AlertmanagerConfig objects\nprocess incoming alerts.","type":"object","properties":{"type":{"description":"type defines the strategy used by\nAlertmanagerConfig objects to match alerts in the routes and inhibition\nrules.\n\nThe default value is `OnNamespace`.","type":"string","enum":["OnNamespace","OnNamespaceExceptForAlertmanagerNamespace","None"]}}},"alertmanagerConfigNamespaceSelector":{"description":"alertmanagerConfigNamespaceSelector defines the namespaces to be selected for AlertmanagerConfig discovery. If nil, only\ncheck own namespace.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"alertmanagerConfigSelector":{"description":"alertmanagerConfigSelector defines the selector to be used for to merge and configure Alertmanager with.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"alertmanagerConfiguration":{"description":"alertmanagerConfiguration defines the configuration of Alertmanager.\n\nIf defined, it takes precedence over the `configSecret` field.\n\nThis is an *experimental feature*, it may change in any upcoming release\nin a breaking way.","type":"object","properties":{"global":{"description":"global defines the global parameters of the Alertmanager configuration.","type":"object","properties":{"httpConfig":{"description":"httpConfig defines the default HTTP configuration.","type":"object","properties":{"authorization":{"description":"authorization configures the Authorization header credentials used by\nthe client.\n\nCannot be set at the same time as `basicAuth`, `bearerTokenSecret` or `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the Basic Authentication credentials used by the\nclient.\n\nCannot be set at the same time as `authorization`, `bearerTokenSecret` or `oauth2`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines a key of a Secret containing the bearer token\nused by the client for authentication. The secret needs to be in the\nsame namespace as the custom resource and readable by the Prometheus\nOperator.\n\nCannot be set at the same time as `authorization`, `basicAuth` or `oauth2`.\n\nDeprecated: use `authorization` instead.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether the client should follow HTTP 3xx\nredirects.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 settings used by the client.\n\nIt requires Prometheus >= 2.27.0.\n\nCannot be set at the same time as `authorization`, `basicAuth` or `bearerTokenSecret`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration used by the client.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"jira":{"description":"jira defines the default configuration for Jira.","type":"object","properties":{"apiURL":{"description":"apiURL defines the default Jira API URL.\n\nIt requires Alertmanager >= v0.28.0.","type":"string","pattern":"^(http|https)://.+$"}}},"opsGenieApiKey":{"description":"opsGenieApiKey defines the default OpsGenie API Key.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"opsGenieApiUrl":{"description":"opsGenieApiUrl defines the default OpsGenie API URL.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"pagerdutyUrl":{"description":"pagerdutyUrl defines the default Pagerduty URL.","type":"string","pattern":"^(http|https)://.+$"},"resolveTimeout":{"description":"resolveTimeout defines the default value used by alertmanager if the alert does\nnot include EndsAt, after this time passes it can declare the alert as resolved if it has not been updated.\nThis has no impact on alerts from Prometheus, as they always include EndsAt.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"rocketChat":{"description":"rocketChat defines the default configuration for Rocket Chat.","type":"object","properties":{"apiURL":{"description":"apiURL defines the default Rocket Chat API URL.\n\nIt requires Alertmanager >= v0.28.0.","type":"string","pattern":"^(http|https)://.+$"},"token":{"description":"token defines the default Rocket Chat token.\n\nIt requires Alertmanager >= v0.28.0.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"tokenID":{"description":"tokenID defines the default Rocket Chat Token ID.\n\nIt requires Alertmanager >= v0.28.0.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"slackApiUrl":{"description":"slackApiUrl defines the default Slack API URL.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"smtp":{"description":"smtp defines global SMTP parameters.","type":"object","properties":{"authIdentity":{"description":"authIdentity represents SMTP Auth using PLAIN","type":"string"},"authPassword":{"description":"authPassword represents SMTP Auth using LOGIN and PLAIN.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"authSecret":{"description":"authSecret represents SMTP Auth using CRAM-MD5.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"authUsername":{"description":"authUsername represents SMTP Auth using CRAM-MD5, LOGIN and PLAIN. If empty, Alertmanager doesn't authenticate to the SMTP server.","type":"string"},"from":{"description":"from defines the default SMTP From header field.","type":"string"},"hello":{"description":"hello defines the default hostname to identify to the SMTP server.","type":"string"},"requireTLS":{"description":"requireTLS defines the default SMTP TLS requirement.\nNote that Go does not support unencrypted connections to remote SMTP endpoints.","type":"boolean"},"smartHost":{"description":"smartHost defines the default SMTP smarthost used for sending emails.","type":"object","required":["host","port"],"properties":{"host":{"description":"host defines the host's address, it can be a DNS name or a literal IP address.","type":"string","minLength":1},"port":{"description":"port defines the host's port, it can be a literal port number or a port name.","type":"string","minLength":1}}},"tlsConfig":{"description":"tlsConfig defines the default TLS configuration for SMTP receivers","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"telegram":{"description":"telegram defines the default Telegram config","type":"object","properties":{"apiURL":{"description":"apiURL defines he default Telegram API URL.\n\nIt requires Alertmanager >= v0.24.0.","type":"string","pattern":"^(http|https)://.+$"}}},"victorops":{"description":"victorops defines the default configuration for VictorOps.","type":"object","properties":{"apiKey":{"description":"apiKey defines the default VictorOps API Key.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"apiURL":{"description":"apiURL defines the default VictorOps API URL.","type":"string","pattern":"^(http|https)://.+$"}}},"webex":{"description":"webex defines the default configuration for Webex.","type":"object","properties":{"apiURL":{"description":"apiURL defines the is the default Webex API URL.\n\nIt requires Alertmanager >= v0.25.0.","type":"string","pattern":"^(http|https)://.+$"}}},"wechat":{"description":"wechat defines the default WeChat Config","type":"object","properties":{"apiCorpID":{"description":"apiCorpID defines the default WeChat API Corporate ID.","type":"string","minLength":1},"apiSecret":{"description":"apiSecret defines the default WeChat API Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"apiURL":{"description":"apiURL defines he default WeChat API URL.\nThe default value is \"https://qyapi.weixin.qq.com/cgi-bin/\"","type":"string","pattern":"^(http|https)://.+$"}}}}},"name":{"description":"name defines the name of the AlertmanagerConfig custom resource which is used to generate the Alertmanager configuration.\nIt must be defined in the same namespace as the Alertmanager object.\nThe operator will not enforce a `namespace` label for routes and inhibition rules.","type":"string","minLength":1},"templates":{"description":"templates defines the custom notification templates.","type":"array","items":{"description":"SecretOrConfigMap allows to specify data as a Secret or ConfigMap. Fields are mutually exclusive.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"automountServiceAccountToken":{"description":"automountServiceAccountToken defines whether a service account token should be automatically mounted in the pod.\nIf the service account has `automountServiceAccountToken: true`, set the field to `false` to opt out of automounting API credentials.","type":"boolean"},"baseImage":{"description":"baseImage that is used to deploy pods, without tag.\nDeprecated: use 'image' instead.","type":"string"},"clusterAdvertiseAddress":{"description":"clusterAdvertiseAddress defines the explicit address to advertise in cluster.\nNeeds to be provided for non RFC1918 [1] (public) addresses.\n[1] RFC1918: https://tools.ietf.org/html/rfc1918","type":"string"},"clusterGossipInterval":{"description":"clusterGossipInterval defines the interval between gossip attempts.","type":"string","pattern":"^(0|(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"clusterLabel":{"description":"clusterLabel defines the identifier that uniquely identifies the Alertmanager cluster.\nYou should only set it when the Alertmanager cluster includes Alertmanager instances which are external to this Alertmanager resource. In practice, the addresses of the external instances are provided via the `.spec.additionalPeers` field.","type":"string"},"clusterPeerTimeout":{"description":"clusterPeerTimeout defines the timeout for cluster peering.","type":"string","pattern":"^(0|(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"clusterPushpullInterval":{"description":"clusterPushpullInterval defines the interval between pushpull attempts.","type":"string","pattern":"^(0|(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"clusterTLS":{"description":"clusterTLS defines the mutual TLS configuration for the Alertmanager cluster's gossip protocol.\n\nIt requires Alertmanager >= 0.24.0.","type":"object","required":["client","server"],"properties":{"client":{"description":"client defines the client-side configuration for mutual TLS.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"server":{"description":"server defines the server-side configuration for mutual TLS.","type":"object","properties":{"cert":{"description":"cert defines the Secret or ConfigMap containing the TLS certificate for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `certFile`.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the TLS certificate file in the container for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `cert`.","type":"string"},"cipherSuites":{"description":"cipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.\n\nIf not defined, the Go default cipher suites are used.\nAvailable cipher suites are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#pkg-constants","type":"array","items":{"type":"string"}},"clientAuthType":{"description":"clientAuthType defines the server policy for client TLS authentication.\n\nFor more detail on clientAuth options:\nhttps://golang.org/pkg/crypto/tls/#ClientAuthType","type":"string"},"clientCAFile":{"description":"clientCAFile defines the path to the CA certificate file for client certificate authentication to\nthe server.\n\nIt is mutually exclusive with `client_ca`.","type":"string"},"client_ca":{"description":"client_ca defines the Secret or ConfigMap containing the CA certificate for client certificate\nauthentication to the server.\n\nIt is mutually exclusive with `clientCAFile`.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"curvePreferences":{"description":"curvePreferences defines elliptic curves that will be used in an ECDHE handshake, in preference\norder.\n\nAvailable curves are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#CurveID","type":"array","items":{"type":"string"}},"keyFile":{"description":"keyFile defines the path to the TLS private key file in the container for the web server.\n\nIf defined, either `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keySecret`.","type":"string"},"keySecret":{"description":"keySecret defines the secret containing the TLS private key for the web server.\n\nEither `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keyFile`.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the Maximum TLS version that is acceptable.","type":"string"},"minVersion":{"description":"minVersion defines the minimum TLS version that is acceptable.","type":"string"},"preferServerCipherSuites":{"description":"preferServerCipherSuites defines whether the server selects the client's most preferred cipher\nsuite, or the server's most preferred cipher suite.\n\nIf true then the server's preference, as expressed in\nthe order of elements in cipherSuites, is used.","type":"boolean"}}}}},"configMaps":{"description":"configMaps defines a list of ConfigMaps in the same namespace as the Alertmanager\nobject, which shall be mounted into the Alertmanager Pods.\nEach ConfigMap is added to the StatefulSet definition as a volume named `configmap-<configmap-name>`.\nThe ConfigMaps are mounted into `/etc/alertmanager/configmaps/<configmap-name>` in the 'alertmanager' container.","type":"array","items":{"type":"string"}},"configSecret":{"description":"configSecret defines the name of a Kubernetes Secret in the same namespace as the\nAlertmanager object, which contains the configuration for this Alertmanager\ninstance. If empty, it defaults to `alertmanager-<alertmanager-name>`.\n\nThe Alertmanager configuration should be available under the\n`alertmanager.yaml` key. Additional keys from the original secret are\ncopied to the generated secret and mounted into the\n`/etc/alertmanager/config` directory in the `alertmanager` container.\n\nIf either the secret or the `alertmanager.yaml` key is missing, the\noperator provisions a minimal Alertmanager configuration with one empty\nreceiver (effectively dropping alert notifications).","type":"string"},"containers":{"description":"containers allows injecting additional containers. This is meant to\nallow adding an authentication proxy to an Alertmanager pod.\nContainers described here modify an operator generated container if they\nshare the same name and modifications are done via a strategic merge\npatch. The current container names are: `alertmanager` and\n`config-reloader`. Overriding containers is entirely outside the scope\nof what the maintainers will support and by doing so, you accept that\nthis behaviour may break at any time without notice.","type":"array","items":{"description":"A single application container that you want to run within a pod.","type":"object","required":["name"],"properties":{"args":{"description":"Arguments to the entrypoint.\nThe container image's CMD is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"description":"Entrypoint array. Not executed within a shell.\nThe container image's ENTRYPOINT is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"description":"List of environment variables to set in the container.\nCannot be updated.","type":"array","items":{"description":"EnvVar represents an environment variable present in a Container.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"value":{"description":"Variable references $(VAR_NAME) are expanded\nusing the previously defined environment variables in the container and\nany service environment variables. If a variable cannot be resolved,\nthe reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.\n\"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\".\nEscaped references will never be expanded, regardless of whether the variable\nexists or not.\nDefaults to \"\".","type":"string"},"valueFrom":{"description":"Source for the environment variable's value. Cannot be used if value is not empty.","type":"object","properties":{"configMapKeyRef":{"description":"Selects a key of a ConfigMap.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"description":"Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"description":"FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.","type":"object","required":["key","path","volumeName"],"properties":{"key":{"description":"The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.","type":"string"},"optional":{"description":"Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.","type":"boolean"},"path":{"description":"The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.","type":"string"},"volumeName":{"description":"The name of the volume mount containing the env file.","type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"description":"Selects a key of a secret in the pod's namespace","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"envFrom":{"description":"List of sources to populate environment variables in the container.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nWhen a key exists in multiple\nsources, the value associated with the last source will take precedence.\nValues defined by an Env with a duplicate key will take precedence.\nCannot be updated.","type":"array","items":{"description":"EnvFromSource represents the source of a set of ConfigMaps or Secrets","type":"object","properties":{"configMapRef":{"description":"The ConfigMap to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"description":"Optional text to prepend to the name of each environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"secretRef":{"description":"The Secret to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"image":{"description":"Container image name.\nMore info: https://kubernetes.io/docs/concepts/containers/images\nThis field is optional to allow higher level config management to default or override\ncontainer images in workload controllers like Deployments and StatefulSets.","type":"string"},"imagePullPolicy":{"description":"Image pull policy.\nOne of Always, Never, IfNotPresent.\nDefaults to Always if :latest tag is specified, or IfNotPresent otherwise.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/containers/images#updating-images","type":"string"},"lifecycle":{"description":"Actions that the management system should take in response to container lifecycle events.\nCannot be updated.","type":"object","properties":{"postStart":{"description":"PostStart is called immediately after a container is created. If the handler fails,\nthe container is terminated and restarted according to its restart policy.\nOther management of the container blocks until the hook completes.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"preStop":{"description":"PreStop is called immediately before a container is terminated due to an\nAPI request or management event such as liveness/startup probe failure,\npreemption, resource contention, etc. The handler is not called if the\ncontainer crashes or exits. The Pod's termination grace period countdown begins before the\nPreStop hook is executed. Regardless of the outcome of the handler, the\ncontainer will eventually terminate within the Pod's termination grace\nperiod (unless delayed by finalizers). Other management of the container blocks until the hook completes\nor until the termination grace period is reached.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"stopSignal":{"description":"StopSignal defines which signal will be sent to a container when it is being stopped.\nIf not specified, the default is defined by the container runtime in use.\nStopSignal can only be set for Pods with a non-empty .spec.os.name","type":"string"}}},"livenessProbe":{"description":"Periodic probe of container liveness.\nContainer will be restarted if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"name":{"description":"Name of the container specified as a DNS_LABEL.\nEach container in a pod must have a unique name (DNS_LABEL).\nCannot be updated.","type":"string"},"ports":{"description":"List of ports to expose from the container. Not specifying a port here\nDOES NOT prevent that port from being exposed. Any port which is\nlistening on the default \"0.0.0.0\" address inside a container will be\naccessible from the network.\nModifying this array with strategic merge patch may corrupt the data.\nFor more information See https://github.com/kubernetes/kubernetes/issues/108255.\nCannot be updated.","type":"array","items":{"description":"ContainerPort represents a network port in a single container.","type":"object","required":["containerPort"],"properties":{"containerPort":{"description":"Number of port to expose on the pod's IP address.\nThis must be a valid port number, 0 < x < 65536.","type":"integer","format":"int32"},"hostIP":{"description":"What host IP to bind the external port to.","type":"string"},"hostPort":{"description":"Number of port to expose on the host.\nIf specified, this must be a valid port number, 0 < x < 65536.\nIf HostNetwork is specified, this must match ContainerPort.\nMost containers do not need this.","type":"integer","format":"int32"},"name":{"description":"If specified, this must be an IANA_SVC_NAME and unique within the pod. Each\nnamed port in a pod must have a unique name. Name for the port that can be\nreferred to by services.","type":"string"},"protocol":{"description":"Protocol for port. Must be UDP, TCP, or SCTP.\nDefaults to \"TCP\".","type":"string"}}},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map"},"readinessProbe":{"description":"Periodic probe of container service readiness.\nContainer will be removed from service endpoints if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"resizePolicy":{"description":"Resources resize policy for the container.","type":"array","items":{"description":"ContainerResizePolicy represents resource resize policy for the container.","type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"description":"Name of the resource to which this resource resize policy applies.\nSupported values: cpu, memory.","type":"string"},"restartPolicy":{"description":"Restart policy to apply when specified resource is resized.\nIf not specified, it defaults to NotRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Compute Resources required by this container.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"restartPolicy":{"description":"RestartPolicy defines the restart behavior of individual containers in a pod.\nThis overrides the pod-level restart policy. When this field is not specified,\nthe restart behavior is defined by the Pod's restart policy and the container type.\nAdditionally, setting the RestartPolicy as \"Always\" for the init container will\nhave the following effect:\nthis init container will be continually restarted on\nexit until all regular containers have terminated. Once all regular\ncontainers have completed, all init containers with restartPolicy \"Always\"\nwill be shut down. This lifecycle differs from normal init containers and\nis often referred to as a \"sidecar\" container. Although this init\ncontainer still starts in the init container sequence, it does not wait\nfor the container to complete before proceeding to the next init\ncontainer. Instead, the next init container starts immediately after this\ninit container is started, or after any startupProbe has successfully\ncompleted.","type":"string"},"restartPolicyRules":{"description":"Represents a list of rules to be checked to determine if the\ncontainer should be restarted on exit. The rules are evaluated in\norder. Once a rule matches a container exit condition, the remaining\nrules are ignored. If no rule matches the container exit condition,\nthe Container-level restart policy determines the whether the container\nis restarted or not. Constraints on the rules:\n- At most 20 rules are allowed.\n- Rules can have the same action.\n- Identical rules are not forbidden in validations.\nWhen rules are specified, container MUST set RestartPolicy explicitly\neven it if matches the Pod's RestartPolicy.","type":"array","items":{"description":"ContainerRestartRule describes how a container exit is handled.","type":"object","required":["action"],"properties":{"action":{"description":"Specifies the action taken on a container exit if the requirements\nare satisfied. The only possible value is \"Restart\" to restart the\ncontainer.","type":"string"},"exitCodes":{"description":"Represents the exit codes to check on container exits.","type":"object","required":["operator"],"properties":{"operator":{"description":"Represents the relationship between the container exit code(s) and the\nspecified values. Possible values are:\n- In: the requirement is satisfied if the container exit code is in the\n  set of specified values.\n- NotIn: the requirement is satisfied if the container exit code is\n  not in the set of specified values.","type":"string"},"values":{"description":"Specifies the set of values to check for container exit codes.\nAt most 255 elements are allowed.","type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}}}},"x-kubernetes-list-type":"atomic"},"securityContext":{"description":"SecurityContext defines the security options the container should be run with.\nIf set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","type":"object","properties":{"allowPrivilegeEscalation":{"description":"AllowPrivilegeEscalation controls whether a process can gain more\nprivileges than its parent process. This bool directly controls if\nthe no_new_privs flag will be set on the container process.\nAllowPrivilegeEscalation is true always when the container is:\n1) run as Privileged\n2) has CAP_SYS_ADMIN\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by this container. If set, this profile\noverrides the pod's appArmorProfile.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".","type":"string"},"type":{"description":"type indicates which kind of AppArmor profile will be applied.\nValid options are:\n  Localhost - a profile pre-loaded on the node.\n  RuntimeDefault - the container runtime's default profile.\n  Unconfined - no AppArmor enforcement.","type":"string"}}},"capabilities":{"description":"The capabilities to add/drop when running containers.\nDefaults to the default set of capabilities granted by the container runtime.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"add":{"description":"Added capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"description":"Removed capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"description":"Run container in privileged mode.\nProcesses in privileged containers are essentially equivalent to root on the host.\nDefaults to false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"procMount":{"description":"procMount denotes the type of proc mount to use for the containers.\nThe default value is Default which uses the container runtime defaults for\nreadonly paths and masked paths.\nThis requires the ProcMountType feature flag to be enabled.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"readOnlyRootFilesystem":{"description":"Whether this container has a read-only root filesystem.\nDefault is false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to the container.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by this container. If seccomp options are\nprovided at both the pod & container level, the container options\noverride the pod options.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"windowsOptions":{"description":"The Windows specific settings applied to all containers.\nIf unspecified, the options from the PodSecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.","type":"object","properties":{"gmsaCredentialSpec":{"description":"GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.","type":"string"},"gmsaCredentialSpecName":{"description":"GMSACredentialSpecName is the name of the GMSA credential spec to use.","type":"string"},"hostProcess":{"description":"HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.","type":"boolean"},"runAsUserName":{"description":"The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"string"}}}}},"startupProbe":{"description":"StartupProbe indicates that the Pod has successfully initialized.\nIf specified, no other probes are executed until this completes successfully.\nIf this probe fails, the Pod will be restarted, just as if the livenessProbe failed.\nThis can be used to provide different probe parameters at the beginning of a Pod's lifecycle,\nwhen it might take a long time to load data or warm a cache, than during steady-state operation.\nThis cannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"stdin":{"description":"Whether this container should allocate a buffer for stdin in the container runtime. If this\nis not set, reads from stdin in the container will always result in EOF.\nDefault is false.","type":"boolean"},"stdinOnce":{"description":"Whether the container runtime should close the stdin channel after it has been opened by\na single attach. When stdin is true the stdin stream will remain open across multiple attach\nsessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the\nfirst client attaches to stdin, and then remains open and accepts data until the client disconnects,\nat which time stdin is closed and remains closed until the container is restarted. If this\nflag is false, a container processes that reads from stdin will never receive an EOF.\nDefault is false","type":"boolean"},"terminationMessagePath":{"description":"Optional: Path at which the file to which the container's termination message\nwill be written is mounted into the container's filesystem.\nMessage written is intended to be brief final status, such as an assertion failure message.\nWill be truncated by the node if greater than 4096 bytes. The total message length across\nall containers will be limited to 12kb.\nDefaults to /dev/termination-log.\nCannot be updated.","type":"string"},"terminationMessagePolicy":{"description":"Indicate how the termination message should be populated. File will use the contents of\nterminationMessagePath to populate the container status message on both success and failure.\nFallbackToLogsOnError will use the last chunk of container log output if the termination\nmessage file is empty and the container exited with an error.\nThe log output is limited to 2048 bytes or 80 lines, whichever is smaller.\nDefaults to File.\nCannot be updated.","type":"string"},"tty":{"description":"Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.\nDefault is false.","type":"boolean"},"volumeDevices":{"description":"volumeDevices is the list of block devices to be used by the container.","type":"array","items":{"description":"volumeDevice describes a mapping of a raw block device within a container.","type":"object","required":["devicePath","name"],"properties":{"devicePath":{"description":"devicePath is the path inside of the container that the device will be mapped to.","type":"string"},"name":{"description":"name must match the name of a persistentVolumeClaim in the pod","type":"string"}}},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map"},"volumeMounts":{"description":"Pod volumes to mount into the container's filesystem.\nCannot be updated.","type":"array","items":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["mountPath","name"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted.  Must\nnot contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host\nto container and the other way around.\nWhen not set, MountPropagationNone is used.\nThis field is beta in 1.10.\nWhen RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified\n(which defaults to None).","type":"string"},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified).\nDefaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled\nrecursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made\nrecursively read-only.  If this field is set to IfPossible, the mount is made\nrecursively read-only, if it is supported by the container runtime.  If this\nfield is set to Enabled, the mount is made recursively read-only if it is\nsupported by the container runtime, otherwise the pod will not be started and\nan error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to\nNone (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted.\nDefaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted.\nBehaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.\nDefaults to \"\" (volume's root).\nSubPathExpr and SubPath are mutually exclusive.","type":"string"}}},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map"},"workingDir":{"description":"Container's working directory.\nIf not specified, the container runtime's default will be used, which\nmight be configured in the container image.\nCannot be updated.","type":"string"}}}},"dnsConfig":{"description":"dnsConfig defines the DNS configuration for the pods.","type":"object","properties":{"nameservers":{"description":"nameservers defines the list of DNS name server IP addresses.\nThis will be appended to the base nameservers generated from DNSPolicy.","type":"array","items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"},"options":{"description":"options defines the list of DNS resolver options.\nThis will be merged with the base options generated from DNSPolicy.\nResolution options given in Options\nwill override those that appear in the base DNSPolicy.","type":"array","items":{"description":"PodDNSConfigOption defines DNS resolver options of a pod.","type":"object","required":["name"],"properties":{"name":{"description":"name is required and must be unique.","type":"string","minLength":1},"value":{"description":"value is optional.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"searches":{"description":"searches defines the list of DNS search domains for host-name lookup.\nThis will be appended to the base search paths generated from DNSPolicy.","type":"array","items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"}}},"dnsPolicy":{"description":"dnsPolicy defines the DNS policy for the pods.","type":"string","enum":["ClusterFirstWithHostNet","ClusterFirst","Default","None"]},"enableFeatures":{"description":"enableFeatures defines the Alertmanager's feature flags. By default, no features are enabled.\nEnabling features which are disabled by default is entirely outside the\nscope of what the maintainers will support and by doing so, you accept\nthat this behaviour may break at any time without notice.\n\nIt requires Alertmanager >= 0.27.0.","type":"array","items":{"type":"string"}},"enableServiceLinks":{"description":"enableServiceLinks defines whether information about services should be injected into pod's environment variables","type":"boolean"},"externalUrl":{"description":"externalUrl defines the URL used to access the Alertmanager web service. This is\nnecessary to generate correct URLs. This is necessary if Alertmanager is not\nserved from root of a DNS name.","type":"string"},"forceEnableClusterMode":{"description":"forceEnableClusterMode ensures Alertmanager does not deactivate the cluster mode when running with a single replica.\nUse case is e.g. spanning an Alertmanager cluster across Kubernetes clusters with a single replica in each.","type":"boolean"},"hostAliases":{"description":"hostAliases Pods configuration","type":"array","items":{"description":"HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the\npod's hosts file.","type":"object","required":["hostnames","ip"],"properties":{"hostnames":{"description":"hostnames defines hostnames for the above IP address.","type":"array","items":{"type":"string"}},"ip":{"description":"ip defines the IP address of the host file entry.","type":"string"}}},"x-kubernetes-list-map-keys":["ip"],"x-kubernetes-list-type":"map"},"hostUsers":{"description":"hostUsers supports the user space in Kubernetes.\n\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/\n\nThe feature requires at least Kubernetes 1.28 with the `UserNamespacesSupport` feature gate enabled.\nStarting Kubernetes 1.33, the feature is enabled by default.","type":"boolean"},"image":{"description":"image if specified has precedence over baseImage, tag and sha\ncombinations. Specifying the version is still necessary to ensure the\nPrometheus Operator knows what version of Alertmanager is being\nconfigured.","type":"string"},"imagePullPolicy":{"description":"imagePullPolicy for the 'alertmanager', 'init-config-reloader' and 'config-reloader' containers.\nSee https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for more details.","type":"string","enum":["","Always","Never","IfNotPresent"]},"imagePullSecrets":{"description":"imagePullSecrets An optional list of references to secrets in the same namespace\nto use for pulling prometheus and alertmanager images from registries\nsee https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"initContainers":{"description":"initContainers allows adding initContainers to the pod definition. Those can be used to e.g.\nfetch secrets for injection into the Alertmanager configuration from external sources. Any\nerrors during the execution of an initContainer will lead to a restart of the Pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/\nInitContainers described here modify an operator\ngenerated init containers if they share the same name and modifications are\ndone via a strategic merge patch. The current init container name is:\n`init-config-reloader`. Overriding init containers is entirely outside the\nscope of what the maintainers will support and by doing so, you accept that\nthis behaviour may break at any time without notice.","type":"array","items":{"description":"A single application container that you want to run within a pod.","type":"object","required":["name"],"properties":{"args":{"description":"Arguments to the entrypoint.\nThe container image's CMD is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"description":"Entrypoint array. Not executed within a shell.\nThe container image's ENTRYPOINT is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"description":"List of environment variables to set in the container.\nCannot be updated.","type":"array","items":{"description":"EnvVar represents an environment variable present in a Container.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"value":{"description":"Variable references $(VAR_NAME) are expanded\nusing the previously defined environment variables in the container and\nany service environment variables. If a variable cannot be resolved,\nthe reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.\n\"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\".\nEscaped references will never be expanded, regardless of whether the variable\nexists or not.\nDefaults to \"\".","type":"string"},"valueFrom":{"description":"Source for the environment variable's value. Cannot be used if value is not empty.","type":"object","properties":{"configMapKeyRef":{"description":"Selects a key of a ConfigMap.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"description":"Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"description":"FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.","type":"object","required":["key","path","volumeName"],"properties":{"key":{"description":"The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.","type":"string"},"optional":{"description":"Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.","type":"boolean"},"path":{"description":"The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.","type":"string"},"volumeName":{"description":"The name of the volume mount containing the env file.","type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"description":"Selects a key of a secret in the pod's namespace","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"envFrom":{"description":"List of sources to populate environment variables in the container.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nWhen a key exists in multiple\nsources, the value associated with the last source will take precedence.\nValues defined by an Env with a duplicate key will take precedence.\nCannot be updated.","type":"array","items":{"description":"EnvFromSource represents the source of a set of ConfigMaps or Secrets","type":"object","properties":{"configMapRef":{"description":"The ConfigMap to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"description":"Optional text to prepend to the name of each environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"secretRef":{"description":"The Secret to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"image":{"description":"Container image name.\nMore info: https://kubernetes.io/docs/concepts/containers/images\nThis field is optional to allow higher level config management to default or override\ncontainer images in workload controllers like Deployments and StatefulSets.","type":"string"},"imagePullPolicy":{"description":"Image pull policy.\nOne of Always, Never, IfNotPresent.\nDefaults to Always if :latest tag is specified, or IfNotPresent otherwise.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/containers/images#updating-images","type":"string"},"lifecycle":{"description":"Actions that the management system should take in response to container lifecycle events.\nCannot be updated.","type":"object","properties":{"postStart":{"description":"PostStart is called immediately after a container is created. If the handler fails,\nthe container is terminated and restarted according to its restart policy.\nOther management of the container blocks until the hook completes.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"preStop":{"description":"PreStop is called immediately before a container is terminated due to an\nAPI request or management event such as liveness/startup probe failure,\npreemption, resource contention, etc. The handler is not called if the\ncontainer crashes or exits. The Pod's termination grace period countdown begins before the\nPreStop hook is executed. Regardless of the outcome of the handler, the\ncontainer will eventually terminate within the Pod's termination grace\nperiod (unless delayed by finalizers). Other management of the container blocks until the hook completes\nor until the termination grace period is reached.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"stopSignal":{"description":"StopSignal defines which signal will be sent to a container when it is being stopped.\nIf not specified, the default is defined by the container runtime in use.\nStopSignal can only be set for Pods with a non-empty .spec.os.name","type":"string"}}},"livenessProbe":{"description":"Periodic probe of container liveness.\nContainer will be restarted if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"name":{"description":"Name of the container specified as a DNS_LABEL.\nEach container in a pod must have a unique name (DNS_LABEL).\nCannot be updated.","type":"string"},"ports":{"description":"List of ports to expose from the container. Not specifying a port here\nDOES NOT prevent that port from being exposed. Any port which is\nlistening on the default \"0.0.0.0\" address inside a container will be\naccessible from the network.\nModifying this array with strategic merge patch may corrupt the data.\nFor more information See https://github.com/kubernetes/kubernetes/issues/108255.\nCannot be updated.","type":"array","items":{"description":"ContainerPort represents a network port in a single container.","type":"object","required":["containerPort"],"properties":{"containerPort":{"description":"Number of port to expose on the pod's IP address.\nThis must be a valid port number, 0 < x < 65536.","type":"integer","format":"int32"},"hostIP":{"description":"What host IP to bind the external port to.","type":"string"},"hostPort":{"description":"Number of port to expose on the host.\nIf specified, this must be a valid port number, 0 < x < 65536.\nIf HostNetwork is specified, this must match ContainerPort.\nMost containers do not need this.","type":"integer","format":"int32"},"name":{"description":"If specified, this must be an IANA_SVC_NAME and unique within the pod. Each\nnamed port in a pod must have a unique name. Name for the port that can be\nreferred to by services.","type":"string"},"protocol":{"description":"Protocol for port. Must be UDP, TCP, or SCTP.\nDefaults to \"TCP\".","type":"string"}}},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map"},"readinessProbe":{"description":"Periodic probe of container service readiness.\nContainer will be removed from service endpoints if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"resizePolicy":{"description":"Resources resize policy for the container.","type":"array","items":{"description":"ContainerResizePolicy represents resource resize policy for the container.","type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"description":"Name of the resource to which this resource resize policy applies.\nSupported values: cpu, memory.","type":"string"},"restartPolicy":{"description":"Restart policy to apply when specified resource is resized.\nIf not specified, it defaults to NotRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Compute Resources required by this container.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"restartPolicy":{"description":"RestartPolicy defines the restart behavior of individual containers in a pod.\nThis overrides the pod-level restart policy. When this field is not specified,\nthe restart behavior is defined by the Pod's restart policy and the container type.\nAdditionally, setting the RestartPolicy as \"Always\" for the init container will\nhave the following effect:\nthis init container will be continually restarted on\nexit until all regular containers have terminated. Once all regular\ncontainers have completed, all init containers with restartPolicy \"Always\"\nwill be shut down. This lifecycle differs from normal init containers and\nis often referred to as a \"sidecar\" container. Although this init\ncontainer still starts in the init container sequence, it does not wait\nfor the container to complete before proceeding to the next init\ncontainer. Instead, the next init container starts immediately after this\ninit container is started, or after any startupProbe has successfully\ncompleted.","type":"string"},"restartPolicyRules":{"description":"Represents a list of rules to be checked to determine if the\ncontainer should be restarted on exit. The rules are evaluated in\norder. Once a rule matches a container exit condition, the remaining\nrules are ignored. If no rule matches the container exit condition,\nthe Container-level restart policy determines the whether the container\nis restarted or not. Constraints on the rules:\n- At most 20 rules are allowed.\n- Rules can have the same action.\n- Identical rules are not forbidden in validations.\nWhen rules are specified, container MUST set RestartPolicy explicitly\neven it if matches the Pod's RestartPolicy.","type":"array","items":{"description":"ContainerRestartRule describes how a container exit is handled.","type":"object","required":["action"],"properties":{"action":{"description":"Specifies the action taken on a container exit if the requirements\nare satisfied. The only possible value is \"Restart\" to restart the\ncontainer.","type":"string"},"exitCodes":{"description":"Represents the exit codes to check on container exits.","type":"object","required":["operator"],"properties":{"operator":{"description":"Represents the relationship between the container exit code(s) and the\nspecified values. Possible values are:\n- In: the requirement is satisfied if the container exit code is in the\n  set of specified values.\n- NotIn: the requirement is satisfied if the container exit code is\n  not in the set of specified values.","type":"string"},"values":{"description":"Specifies the set of values to check for container exit codes.\nAt most 255 elements are allowed.","type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}}}},"x-kubernetes-list-type":"atomic"},"securityContext":{"description":"SecurityContext defines the security options the container should be run with.\nIf set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","type":"object","properties":{"allowPrivilegeEscalation":{"description":"AllowPrivilegeEscalation controls whether a process can gain more\nprivileges than its parent process. This bool directly controls if\nthe no_new_privs flag will be set on the container process.\nAllowPrivilegeEscalation is true always when the container is:\n1) run as Privileged\n2) has CAP_SYS_ADMIN\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by this container. If set, this profile\noverrides the pod's appArmorProfile.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".","type":"string"},"type":{"description":"type indicates which kind of AppArmor profile will be applied.\nValid options are:\n  Localhost - a profile pre-loaded on the node.\n  RuntimeDefault - the container runtime's default profile.\n  Unconfined - no AppArmor enforcement.","type":"string"}}},"capabilities":{"description":"The capabilities to add/drop when running containers.\nDefaults to the default set of capabilities granted by the container runtime.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"add":{"description":"Added capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"description":"Removed capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"description":"Run container in privileged mode.\nProcesses in privileged containers are essentially equivalent to root on the host.\nDefaults to false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"procMount":{"description":"procMount denotes the type of proc mount to use for the containers.\nThe default value is Default which uses the container runtime defaults for\nreadonly paths and masked paths.\nThis requires the ProcMountType feature flag to be enabled.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"readOnlyRootFilesystem":{"description":"Whether this container has a read-only root filesystem.\nDefault is false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to the container.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by this container. If seccomp options are\nprovided at both the pod & container level, the container options\noverride the pod options.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"windowsOptions":{"description":"The Windows specific settings applied to all containers.\nIf unspecified, the options from the PodSecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.","type":"object","properties":{"gmsaCredentialSpec":{"description":"GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.","type":"string"},"gmsaCredentialSpecName":{"description":"GMSACredentialSpecName is the name of the GMSA credential spec to use.","type":"string"},"hostProcess":{"description":"HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.","type":"boolean"},"runAsUserName":{"description":"The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"string"}}}}},"startupProbe":{"description":"StartupProbe indicates that the Pod has successfully initialized.\nIf specified, no other probes are executed until this completes successfully.\nIf this probe fails, the Pod will be restarted, just as if the livenessProbe failed.\nThis can be used to provide different probe parameters at the beginning of a Pod's lifecycle,\nwhen it might take a long time to load data or warm a cache, than during steady-state operation.\nThis cannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"stdin":{"description":"Whether this container should allocate a buffer for stdin in the container runtime. If this\nis not set, reads from stdin in the container will always result in EOF.\nDefault is false.","type":"boolean"},"stdinOnce":{"description":"Whether the container runtime should close the stdin channel after it has been opened by\na single attach. When stdin is true the stdin stream will remain open across multiple attach\nsessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the\nfirst client attaches to stdin, and then remains open and accepts data until the client disconnects,\nat which time stdin is closed and remains closed until the container is restarted. If this\nflag is false, a container processes that reads from stdin will never receive an EOF.\nDefault is false","type":"boolean"},"terminationMessagePath":{"description":"Optional: Path at which the file to which the container's termination message\nwill be written is mounted into the container's filesystem.\nMessage written is intended to be brief final status, such as an assertion failure message.\nWill be truncated by the node if greater than 4096 bytes. The total message length across\nall containers will be limited to 12kb.\nDefaults to /dev/termination-log.\nCannot be updated.","type":"string"},"terminationMessagePolicy":{"description":"Indicate how the termination message should be populated. File will use the contents of\nterminationMessagePath to populate the container status message on both success and failure.\nFallbackToLogsOnError will use the last chunk of container log output if the termination\nmessage file is empty and the container exited with an error.\nThe log output is limited to 2048 bytes or 80 lines, whichever is smaller.\nDefaults to File.\nCannot be updated.","type":"string"},"tty":{"description":"Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.\nDefault is false.","type":"boolean"},"volumeDevices":{"description":"volumeDevices is the list of block devices to be used by the container.","type":"array","items":{"description":"volumeDevice describes a mapping of a raw block device within a container.","type":"object","required":["devicePath","name"],"properties":{"devicePath":{"description":"devicePath is the path inside of the container that the device will be mapped to.","type":"string"},"name":{"description":"name must match the name of a persistentVolumeClaim in the pod","type":"string"}}},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map"},"volumeMounts":{"description":"Pod volumes to mount into the container's filesystem.\nCannot be updated.","type":"array","items":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["mountPath","name"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted.  Must\nnot contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host\nto container and the other way around.\nWhen not set, MountPropagationNone is used.\nThis field is beta in 1.10.\nWhen RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified\n(which defaults to None).","type":"string"},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified).\nDefaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled\nrecursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made\nrecursively read-only.  If this field is set to IfPossible, the mount is made\nrecursively read-only, if it is supported by the container runtime.  If this\nfield is set to Enabled, the mount is made recursively read-only if it is\nsupported by the container runtime, otherwise the pod will not be started and\nan error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to\nNone (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted.\nDefaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted.\nBehaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.\nDefaults to \"\" (volume's root).\nSubPathExpr and SubPath are mutually exclusive.","type":"string"}}},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map"},"workingDir":{"description":"Container's working directory.\nIf not specified, the container runtime's default will be used, which\nmight be configured in the container image.\nCannot be updated.","type":"string"}}}},"limits":{"description":"limits defines the limits command line flags when starting Alertmanager.","type":"object","properties":{"maxPerSilenceBytes":{"description":"maxPerSilenceBytes defines the maximum size of an individual silence as stored on disk. This corresponds to the Alertmanager's\n`--silences.max-per-silence-bytes` flag.\nIt requires Alertmanager >= v0.28.0.","type":"string","pattern":"(^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$"},"maxSilences":{"description":"maxSilences defines the maximum number active and pending silences. This corresponds to the\nAlertmanager's `--silences.max-silences` flag.\nIt requires Alertmanager >= v0.28.0.","type":"integer","format":"int32","minimum":0}}},"listenLocal":{"description":"listenLocal defines the Alertmanager server listen on loopback, so that it\ndoes not bind against the Pod IP. Note this is only for the Alertmanager\nUI, not the gossip communication.","type":"boolean"},"logFormat":{"description":"logFormat for Alertmanager to be configured with.","type":"string","enum":["","logfmt","json"]},"logLevel":{"description":"logLevel for Alertmanager to be configured with.","type":"string","enum":["","debug","info","warn","error"]},"minReadySeconds":{"description":"minReadySeconds defines the minimum number of seconds for which a newly\ncreated pod should be ready without any of its container crashing for it\nto be considered available.\n\nIf unset, pods will be considered available as soon as they are ready.\n\nWhen the Alertmanager version is greater than or equal to v0.30.0, the\nduration is also used to delay the first flush of the aggregation\ngroups. This delay helps ensuring that all alerts have been resent by\nthe Prometheus instances to Alertmanager after a roll-out. It is\npossible to override this behavior passing a custom value via\n`.spec.additionalArgs`.","type":"integer","format":"int32","minimum":0},"nodeSelector":{"description":"nodeSelector defines which Nodes the Pods are scheduled on.","type":"object","additionalProperties":{"type":"string"}},"paused":{"description":"paused if set to true all actions on the underlying managed objects are not\ngoing to be performed, except for delete actions.","type":"boolean"},"persistentVolumeClaimRetentionPolicy":{"description":"persistentVolumeClaimRetentionPolicy controls if and how PVCs are deleted during the lifecycle of a StatefulSet.\nThe default behavior is all PVCs are retained.\nThis is an alpha field from kubernetes 1.23 until 1.26 and a beta field from 1.26.\nIt requires enabling the StatefulSetAutoDeletePVC feature gate.","type":"object","properties":{"whenDeleted":{"description":"WhenDeleted specifies what happens to PVCs created from StatefulSet\nVolumeClaimTemplates when the StatefulSet is deleted. The default policy\nof `Retain` causes PVCs to not be affected by StatefulSet deletion. The\n`Delete` policy causes those PVCs to be deleted.","type":"string"},"whenScaled":{"description":"WhenScaled specifies what happens to PVCs created from StatefulSet\nVolumeClaimTemplates when the StatefulSet is scaled down. The default\npolicy of `Retain` causes PVCs to not be affected by a scaledown. The\n`Delete` policy causes the associated PVCs for any excess pods above\nthe replica count to be deleted.","type":"string"}}},"podManagementPolicy":{"description":"podManagementPolicy defines the policy for creating/deleting pods when\nscaling up and down.\n\nUnlike the default StatefulSet behavior, the default policy is\n`Parallel` to avoid manual intervention in case a pod gets stuck during\na rollout.\n\nNote that updating this value implies the recreation of the StatefulSet\nwhich incurs a service outage.","type":"string","enum":["OrderedReady","Parallel"]},"podMetadata":{"description":"podMetadata defines labels and annotations which are propagated to the Alertmanager pods.\n\nThe following items are reserved and cannot be overridden:\n* \"alertmanager\" label, set to the name of the Alertmanager instance.\n* \"app.kubernetes.io/instance\" label, set to the name of the Alertmanager instance.\n* \"app.kubernetes.io/managed-by\" label, set to \"prometheus-operator\".\n* \"app.kubernetes.io/name\" label, set to \"alertmanager\".\n* \"app.kubernetes.io/version\" label, set to the Alertmanager version.\n* \"kubectl.kubernetes.io/default-container\" annotation, set to \"alertmanager\".","type":"object","properties":{"annotations":{"description":"annotations defines an unstructured key value map stored with a resource that may be\nset by external tools to store and retrieve arbitrary metadata. They are not\nqueryable and should be preserved when modifying objects.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"labels define the map of string keys and values that can be used to organize and categorize\n(scope and select) objects. May match selectors of replication controllers\nand services.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/","type":"string"}}},"portName":{"description":"portName defines the port's name for the pods and governing service.\nDefaults to `web`.","type":"string"},"priorityClassName":{"description":"priorityClassName assigned to the Pods","type":"string"},"replicas":{"description":"replicas defines the expected size of the alertmanager cluster. The controller will\neventually make the size of the running cluster equal to the expected\nsize.","type":"integer","format":"int32"},"resources":{"description":"resources defines the resource requests and limits of the Pods.","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"retention":{"description":"retention defines the time duration Alertmanager shall retain data for. Default is '120h',\nand must match the regular expression `[0-9]+(ms|s|m|h)` (milliseconds seconds minutes hours).","type":"string","pattern":"^(0|(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"routePrefix":{"description":"routePrefix Alertmanager registers HTTP handlers for. This is useful,\nif using ExternalURL and a proxy is rewriting HTTP routes of a request,\nand the actual ExternalURL is still true, but the server serves requests\nunder a different route prefix. For example for use with `kubectl proxy`.","type":"string"},"secrets":{"description":"secrets is a list of Secrets in the same namespace as the Alertmanager\nobject, which shall be mounted into the Alertmanager Pods.\nEach Secret is added to the StatefulSet definition as a volume named `secret-<secret-name>`.\nThe Secrets are mounted into `/etc/alertmanager/secrets/<secret-name>` in the 'alertmanager' container.","type":"array","items":{"type":"string"}},"securityContext":{"description":"securityContext holds pod-level security attributes and common container settings.\nThis defaults to the default PodSecurityContext.","type":"object","properties":{"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".","type":"string"},"type":{"description":"type indicates which kind of AppArmor profile will be applied.\nValid options are:\n  Localhost - a profile pre-loaded on the node.\n  RuntimeDefault - the container runtime's default profile.\n  Unconfined - no AppArmor enforcement.","type":"string"}}},"fsGroup":{"description":"A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"fsGroupChangePolicy":{"description":"fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxChangePolicy":{"description":"seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.\nIt has no effect on nodes that do not support SELinux or to volumes does not support SELinux.\nValid values are \"MountOption\" and \"Recursive\".\n\n\"Recursive\" means relabeling of all files on all Pod volumes by the container runtime.\nThis may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.\n\n\"MountOption\" mounts all eligible Pod volumes with `-o context` mount option.\nThis requires all Pods that share the same volume to use the same SELinux label.\nIt is not possible to share the same volume among privileged and unprivileged Pods.\nEligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes\nwhose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their\nCSIDriver instance. Other volumes are always re-labelled recursively.\n\"MountOption\" value is allowed only when SELinuxMount feature gate is enabled.\n\nIf not specified and SELinuxMount feature gate is enabled, \"MountOption\" is used.\nIf not specified and SELinuxMount feature gate is disabled, \"MountOption\" is used for ReadWriteOncePod volumes\nand \"Recursive\" for all other volumes.\n\nThis field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.\n\nAll Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"seLinuxOptions":{"description":"The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in SecurityContext.  If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"supplementalGroups":{"description":"A list of groups applied to the first process run in each container, in\naddition to the container's primary GID and fsGroup (if specified).  If\nthe SupplementalGroupsPolicy feature is enabled, the\nsupplementalGroupsPolicy field determines whether these are in addition\nto or instead of any group memberships defined in the container image.\nIf unspecified, no additional groups are added, though group memberships\ndefined in the container image may still be used, depending on the\nsupplementalGroupsPolicy field.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"type":"integer","format":"int64"},"x-kubernetes-list-type":"atomic"},"supplementalGroupsPolicy":{"description":"Defines how supplemental groups of the first container processes are calculated.\nValid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used.\n(Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled\nand the container runtime must implement support for this feature.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"sysctls":{"description":"Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"description":"Sysctl defines a kernel parameter to be set","type":"object","required":["name","value"],"properties":{"name":{"description":"Name of a property to set","type":"string"},"value":{"description":"Value of a property to set","type":"string"}}},"x-kubernetes-list-type":"atomic"},"windowsOptions":{"description":"The Windows specific settings applied to all containers.\nIf unspecified, the options within a container's SecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.","type":"object","properties":{"gmsaCredentialSpec":{"description":"GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.","type":"string"},"gmsaCredentialSpecName":{"description":"GMSACredentialSpecName is the name of the GMSA credential spec to use.","type":"string"},"hostProcess":{"description":"HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.","type":"boolean"},"runAsUserName":{"description":"The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"string"}}}}},"serviceAccountName":{"description":"serviceAccountName is the name of the ServiceAccount to use to run the\nPrometheus Pods.","type":"string"},"serviceName":{"description":"serviceName defines the service name used by the underlying StatefulSet(s) as the governing service.\nIf defined, the Service  must be created before the Alertmanager resource in the same namespace and it must define a selector that matches the pod labels.\nIf empty, the operator will create and manage a headless service named `alertmanager-operated` for Alertmanager resources.\nWhen deploying multiple Alertmanager resources in the same namespace, it is recommended to specify a different value for each.\nSee https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-network-id for more details.","type":"string","minLength":1},"sha":{"description":"sha of Alertmanager container image to be deployed. Defaults to the value of `version`.\nSimilar to a tag, but the SHA explicitly deploys an immutable container image.\nVersion and Tag are ignored if SHA is set.\nDeprecated: use 'image' instead. The image digest can be specified as part of the image URL.","type":"string"},"storage":{"description":"storage defines the definition of how storage will be used by the Alertmanager\ninstances.","type":"object","properties":{"disableMountSubPath":{"description":"disableMountSubPath deprecated: subPath usage will be removed in a future release.","type":"boolean"},"emptyDir":{"description":"emptyDir to be used by the StatefulSet.\nIf specified, it takes precedence over `ephemeral` and `volumeClaimTemplate`.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir","type":"object","properties":{"medium":{"description":"medium represents what type of storage medium should back this directory.\nThe default is \"\" which means to use the node's default medium.\nMust be an empty string (default) or Memory.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","type":"string"},"sizeLimit":{"description":"sizeLimit is the total amount of local storage required for this EmptyDir volume.\nThe size limit is also applicable for memory medium.\nThe maximum usage on memory medium EmptyDir would be the minimum value between\nthe SizeLimit specified here and the sum of memory limits of all containers in a pod.\nThe default is nil which means that the limit is undefined.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"ephemeral":{"description":"ephemeral to be used by the StatefulSet.\nThis is a beta field in k8s 1.21 and GA in 1.15.\nFor lower versions, starting with k8s 1.19, it requires enabling the GenericEphemeralVolume feature gate.\nMore info: https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes","type":"object","properties":{"volumeClaimTemplate":{"description":"Will be used to create a stand-alone PVC to provision the volume.\nThe pod in which this EphemeralVolumeSource is embedded will be the\nowner of the PVC, i.e. the PVC will be deleted together with the\npod.  The name of the PVC will be `<pod name>-<volume name>` where\n`<volume name>` is the name from the `PodSpec.Volumes` array\nentry. Pod validation will reject the pod if the concatenated name\nis not valid for a PVC (for example, too long).\n\nAn existing PVC with that name that is not owned by the pod\nwill *not* be used for the pod to avoid using an unrelated\nvolume by mistake. Starting the pod is then blocked until\nthe unrelated PVC is removed. If such a pre-created PVC is\nmeant to be used by the pod, the PVC has to updated with an\nowner reference to the pod once the pod exists. Normally\nthis should not be necessary, but it may be useful when\nmanually reconstructing a broken cluster.\n\nThis field is read-only and no changes will be made by Kubernetes\nto the PVC after it has been created.\n\nRequired, must not be nil.","type":"object","required":["spec"],"properties":{"metadata":{"description":"May contain labels and annotations that will be copied into the PVC\nwhen creating it. No other fields are allowed and will be rejected during\nvalidation.","type":"object"},"spec":{"description":"The specification for the PersistentVolumeClaim. The entire content is\ncopied unchanged into the PVC that gets created from this\ntemplate. The same fields as in a PersistentVolumeClaim\nare also valid here.","type":"object","properties":{"accessModes":{"description":"accessModes contains the desired access modes the volume should have.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"description":"dataSource field can be used to specify either:\n* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)\n* An existing PVC (PersistentVolumeClaim)\nIf the provisioner or an external controller can support the specified data source,\nit will create a new volume based on the contents of the specified data source.\nWhen the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,\nand dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.\nIf the namespace is specified, then dataSourceRef will not be copied to dataSource.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"description":"dataSourceRef specifies the object from which to populate the volume with data, if a non-empty\nvolume is desired. This may be any object from a non-empty API group (non\ncore object) or a PersistentVolumeClaim object.\nWhen this field is specified, volume binding will only succeed if the type of\nthe specified object matches some installed volume populator or dynamic\nprovisioner.\nThis field will replace the functionality of the dataSource field and as such\nif both fields are non-empty, they must have the same value. For backwards\ncompatibility, when namespace isn't specified in dataSourceRef,\nboth fields (dataSource and dataSourceRef) will be set to the same\nvalue automatically if one of them is empty and the other is non-empty.\nWhen namespace is specified in dataSourceRef,\ndataSource isn't set to the same value and must be empty.\nThere are three important differences between dataSource and dataSourceRef:\n* While dataSource only allows two specific types of objects, dataSourceRef\n  allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n  preserves all values, and generates an error if a disallowed value is\n  specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n  in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.\n(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"},"namespace":{"description":"Namespace is the namespace of resource being referenced\nNote that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.\n(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"string"}}},"resources":{"description":"resources represents the minimum resources the volume should have.\nIf RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements\nthat are lower than previous value but must still be higher than capacity recorded in the\nstatus field of the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources","type":"object","properties":{"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"description":"selector is a label query over volumes to consider for binding.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"description":"storageClassName is the name of the StorageClass required by the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1","type":"string"},"volumeAttributesClassName":{"description":"volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string or nil value indicates that no\nVolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,\nthis field can be reset to its previous value (including nil) to cancel the modification.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/","type":"string"},"volumeMode":{"description":"volumeMode defines what type of volume is required by the claim.\nValue of Filesystem is implied when not included in claim spec.","type":"string"},"volumeName":{"description":"volumeName is the binding reference to the PersistentVolume backing this claim.","type":"string"}}}}}}},"volumeClaimTemplate":{"description":"volumeClaimTemplate defines the PVC spec to be used by the Prometheus StatefulSets.\nThe easiest way to use a volume that cannot be automatically provisioned\nis to use a label selector alongside manually created PersistentVolumes.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"metadata defines EmbeddedMetadata contains metadata relevant to an EmbeddedResource.","type":"object","properties":{"annotations":{"description":"annotations defines an unstructured key value map stored with a resource that may be\nset by external tools to store and retrieve arbitrary metadata. They are not\nqueryable and should be preserved when modifying objects.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"labels define the map of string keys and values that can be used to organize and categorize\n(scope and select) objects. May match selectors of replication controllers\nand services.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/","type":"string"}}},"spec":{"description":"spec defines the specification of the  characteristics of a volume requested by a pod author.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"object","properties":{"accessModes":{"description":"accessModes contains the desired access modes the volume should have.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"description":"dataSource field can be used to specify either:\n* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)\n* An existing PVC (PersistentVolumeClaim)\nIf the provisioner or an external controller can support the specified data source,\nit will create a new volume based on the contents of the specified data source.\nWhen the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,\nand dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.\nIf the namespace is specified, then dataSourceRef will not be copied to dataSource.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"description":"dataSourceRef specifies the object from which to populate the volume with data, if a non-empty\nvolume is desired. This may be any object from a non-empty API group (non\ncore object) or a PersistentVolumeClaim object.\nWhen this field is specified, volume binding will only succeed if the type of\nthe specified object matches some installed volume populator or dynamic\nprovisioner.\nThis field will replace the functionality of the dataSource field and as such\nif both fields are non-empty, they must have the same value. For backwards\ncompatibility, when namespace isn't specified in dataSourceRef,\nboth fields (dataSource and dataSourceRef) will be set to the same\nvalue automatically if one of them is empty and the other is non-empty.\nWhen namespace is specified in dataSourceRef,\ndataSource isn't set to the same value and must be empty.\nThere are three important differences between dataSource and dataSourceRef:\n* While dataSource only allows two specific types of objects, dataSourceRef\n  allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n  preserves all values, and generates an error if a disallowed value is\n  specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n  in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.\n(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"},"namespace":{"description":"Namespace is the namespace of resource being referenced\nNote that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.\n(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"string"}}},"resources":{"description":"resources represents the minimum resources the volume should have.\nIf RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements\nthat are lower than previous value but must still be higher than capacity recorded in the\nstatus field of the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources","type":"object","properties":{"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"description":"selector is a label query over volumes to consider for binding.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"description":"storageClassName is the name of the StorageClass required by the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1","type":"string"},"volumeAttributesClassName":{"description":"volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string or nil value indicates that no\nVolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,\nthis field can be reset to its previous value (including nil) to cancel the modification.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/","type":"string"},"volumeMode":{"description":"volumeMode defines what type of volume is required by the claim.\nValue of Filesystem is implied when not included in claim spec.","type":"string"},"volumeName":{"description":"volumeName is the binding reference to the PersistentVolume backing this claim.","type":"string"}}},"status":{"description":"status is deprecated: this field is never set.","type":"object","properties":{"accessModes":{"description":"accessModes contains the actual access modes the volume backing the PVC has.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"allocatedResourceStatuses":{"description":"allocatedResourceStatuses stores status of resource being resized for the given PVC.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.","type":"object","additionalProperties":{"description":"When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource\nthat it does not recognizes, then it should ignore that update and let other controllers\nhandle it.","type":"string"},"x-kubernetes-map-type":"granular"},"allocatedResources":{"description":"allocatedResources tracks the resources allocated to a PVC including its capacity.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation\nis requested.\nFor storage quota, the larger value from allocatedResources and PVC.spec.resources is used.\nIf allocatedResources is not set, PVC.spec.resources alone is used for quota calculation.\nIf a volume expansion capacity request is lowered, allocatedResources is only\nlowered if there are no expansion operations in progress and if the actual volume capacity\nis equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"capacity":{"description":"capacity represents the actual resources of the underlying volume.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"conditions":{"description":"conditions is the current Condition of persistent volume claim. If underlying persistent volume is being\nresized then the Condition will be set to 'Resizing'.","type":"array","items":{"description":"PersistentVolumeClaimCondition contains details about state of pvc","type":"object","required":["status","type"],"properties":{"lastProbeTime":{"description":"lastProbeTime is the time we probed the condition.","type":"string","format":"date-time"},"lastTransitionTime":{"description":"lastTransitionTime is the time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"message is the human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"reason is a unique, this should be a short, machine understandable string that gives the reason\nfor condition's last transition. If it reports \"Resizing\" that means the underlying\npersistent volume is being resized.","type":"string"},"status":{"description":"Status is the status of the condition.\nCan be True, False, Unknown.\nMore info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=state%20of%20pvc-,conditions.status,-(string)%2C%20required","type":"string"},"type":{"description":"Type is the type of the condition.\nMore info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=set%20to%20%27ResizeStarted%27.-,PersistentVolumeClaimCondition,-contains%20details%20about","type":"string"}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"currentVolumeAttributesClassName":{"description":"currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.\nWhen unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim","type":"string"},"modifyVolumeStatus":{"description":"ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.\nWhen this is unset, there is no ModifyVolume operation being attempted.","type":"object","required":["status"],"properties":{"status":{"description":"status is the status of the ControllerModifyVolume operation. It can be in any of following states:\n - Pending\n   Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as\n   the specified VolumeAttributesClass not existing.\n - InProgress\n   InProgress indicates that the volume is being modified.\n - Infeasible\n  Infeasible indicates that the request has been rejected as invalid by the CSI driver. To\n\t  resolve the error, a valid VolumeAttributesClass needs to be specified.\nNote: New statuses can be added in the future. Consumers should check for unknown statuses and fail appropriately.","type":"string"},"targetVolumeAttributesClassName":{"description":"targetVolumeAttributesClassName is the name of the VolumeAttributesClass the PVC currently being reconciled","type":"string"}}},"phase":{"description":"phase represents the current phase of PersistentVolumeClaim.","type":"string"}}}}}}},"tag":{"description":"tag of Alertmanager container image to be deployed. Defaults to the value of `version`.\nVersion is ignored if Tag is set.\nDeprecated: use 'image' instead. The image tag can be specified as part of the image URL.","type":"string"},"terminationGracePeriodSeconds":{"description":"terminationGracePeriodSeconds defines the Optional duration in seconds the pod needs to terminate gracefully.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down) which may lead to data corruption.\n\nDefaults to 120 seconds.","type":"integer","format":"int64","minimum":0},"tolerations":{"description":"tolerations defines the pod's tolerations.","type":"array","items":{"description":"The pod this Toleration is attached to tolerates any taint that matches\nthe triple <key,value,effect> using the matching operator <operator>.","type":"object","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.","type":"string"},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.","type":"string"},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.","type":"integer","format":"int64"},"value":{"description":"Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.","type":"string"}}}},"topologySpreadConstraints":{"description":"topologySpreadConstraints defines the Pod's topology spread constraints.","type":"array","items":{"description":"TopologySpreadConstraint specifies how to spread matching pods among the given topology.","type":"object","required":["maxSkew","topologyKey","whenUnsatisfiable"],"properties":{"labelSelector":{"description":"LabelSelector is used to find matching pods.\nPods that match this label selector are counted to determine the number of pods\nin their corresponding topology domain.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select the pods over which\nspreading will be calculated. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are ANDed with labelSelector\nto select the group of existing pods over which spreading will be calculated\nfor the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.\nMatchLabelKeys cannot be set when LabelSelector isn't set.\nKeys that don't exist in the incoming pod labels will\nbe ignored. A null or empty list means only match against labelSelector.\n\nThis is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"maxSkew":{"description":"MaxSkew describes the degree to which pods may be unevenly distributed.\nWhen `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference\nbetween the number of matching pods in the target topology and the global minimum.\nThe global minimum is the minimum number of matching pods in an eligible domain\nor zero if the number of eligible domains is less than MinDomains.\nFor example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same\nlabelSelector spread as 2/2/1:\nIn this case, the global minimum is 1.\n| zone1 | zone2 | zone3 |\n|  P P  |  P P  |   P   |\n- if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;\nscheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)\nviolate MaxSkew(1).\n- if MaxSkew is 2, incoming pod can be scheduled onto any zone.\nWhen `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence\nto topologies that satisfy it.\nIt's a required field. Default value is 1 and 0 is not allowed.","type":"integer","format":"int32"},"minDomains":{"description":"MinDomains indicates a minimum number of eligible domains.\nWhen the number of eligible domains with matching topology keys is less than minDomains,\nPod Topology Spread treats \"global minimum\" as 0, and then the calculation of Skew is performed.\nAnd when the number of eligible domains with matching topology keys equals or greater than minDomains,\nthis value has no effect on scheduling.\nAs a result, when the number of eligible domains is less than minDomains,\nscheduler won't schedule more than maxSkew Pods to those domains.\nIf value is nil, the constraint behaves as if MinDomains is equal to 1.\nValid values are integers greater than 0.\nWhen value is not nil, WhenUnsatisfiable must be DoNotSchedule.\n\nFor example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same\nlabelSelector spread as 2/2/2:\n| zone1 | zone2 | zone3 |\n|  P P  |  P P  |  P P  |\nThe number of domains is less than 5(MinDomains), so \"global minimum\" is treated as 0.\nIn this situation, new pod with the same labelSelector cannot be scheduled,\nbecause computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,\nit will violate MaxSkew.","type":"integer","format":"int32"},"nodeAffinityPolicy":{"description":"NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector\nwhen calculating pod topology spread skew. Options are:\n- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.\n- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.\n\nIf this value is nil, the behavior is equivalent to the Honor policy.","type":"string"},"nodeTaintsPolicy":{"description":"NodeTaintsPolicy indicates how we will treat node taints when calculating\npod topology spread skew. Options are:\n- Honor: nodes without taints, along with tainted nodes for which the incoming pod\nhas a toleration, are included.\n- Ignore: node taints are ignored. All nodes are included.\n\nIf this value is nil, the behavior is equivalent to the Ignore policy.","type":"string"},"topologyKey":{"description":"TopologyKey is the key of node labels. Nodes that have a label with this key\nand identical values are considered to be in the same topology.\nWe consider each <key, value> as a \"bucket\", and try to put balanced number\nof pods into each bucket.\nWe define a domain as a particular instance of a topology.\nAlso, we define an eligible domain as a domain whose nodes meet the requirements of\nnodeAffinityPolicy and nodeTaintsPolicy.\ne.g. If TopologyKey is \"kubernetes.io/hostname\", each Node is a domain of that topology.\nAnd, if TopologyKey is \"topology.kubernetes.io/zone\", each zone is a domain of that topology.\nIt's a required field.","type":"string"},"whenUnsatisfiable":{"description":"WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy\nthe spread constraint.\n- DoNotSchedule (default) tells the scheduler not to schedule it.\n- ScheduleAnyway tells the scheduler to schedule the pod in any location,\n  but giving higher precedence to topologies that would help reduce the\n  skew.\nA constraint is considered \"Unsatisfiable\" for an incoming pod\nif and only if every possible node assignment for that pod would violate\n\"MaxSkew\" on some topology.\nFor example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same\nlabelSelector spread as 3/1/1:\n| zone1 | zone2 | zone3 |\n| P P P |   P   |   P   |\nIf WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled\nto zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies\nMaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler\nwon't make it *more* imbalanced.\nIt's a required field.","type":"string"}}}},"updateStrategy":{"description":"updateStrategy indicates the strategy that will be employed to update\nPods in the StatefulSet when a revision is made to statefulset's Pod\nTemplate.\n\nThe default strategy is RollingUpdate.","type":"object","required":["type"],"properties":{"rollingUpdate":{"description":"rollingUpdate is used to communicate parameters when type is RollingUpdate.","type":"object","properties":{"maxUnavailable":{"description":"maxUnavailable is the maximum number of pods that can be unavailable\nduring the update. The value can be an absolute number (ex: 5) or a\npercentage of desired pods (ex: 10%). Absolute number is calculated from\npercentage by rounding up. This can not be 0.  Defaults to 1. This field\nis alpha-level and is only honored by servers that enable the\nMaxUnavailableStatefulSet feature. The field applies to all pods in the\nrange 0 to Replicas-1.  That means if there is any unavailable pod in\nthe range 0 to Replicas-1, it will be counted towards MaxUnavailable.","x-kubernetes-int-or-string":true}}},"type":{"description":"type indicates the type of the StatefulSetUpdateStrategy.\n\nDefault is RollingUpdate.","type":"string","enum":["OnDelete","RollingUpdate"]}},"x-kubernetes-validations":[{"message":"rollingUpdate requires type to be RollingUpdate","rule":"!(self.type != 'RollingUpdate' && has(self.rollingUpdate))"}]},"version":{"description":"version the cluster should be on.","type":"string"},"volumeMounts":{"description":"volumeMounts allows configuration of additional VolumeMounts on the output StatefulSet definition.\nVolumeMounts specified will be appended to other VolumeMounts in the alertmanager container,\nthat are generated as a result of StorageSpec objects.","type":"array","items":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["mountPath","name"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted.  Must\nnot contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host\nto container and the other way around.\nWhen not set, MountPropagationNone is used.\nThis field is beta in 1.10.\nWhen RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified\n(which defaults to None).","type":"string"},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified).\nDefaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled\nrecursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made\nrecursively read-only.  If this field is set to IfPossible, the mount is made\nrecursively read-only, if it is supported by the container runtime.  If this\nfield is set to Enabled, the mount is made recursively read-only if it is\nsupported by the container runtime, otherwise the pod will not be started and\nan error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to\nNone (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted.\nDefaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted.\nBehaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.\nDefaults to \"\" (volume's root).\nSubPathExpr and SubPath are mutually exclusive.","type":"string"}}}},"volumes":{"description":"volumes allows configuration of additional volumes on the output StatefulSet definition.\nVolumes specified will be appended to other volumes that are generated as a result of\nStorageSpec objects.","type":"array","items":{"description":"Volume represents a named volume in a pod that may be accessed by any container in the pod.","type":"object","required":["name"],"properties":{"awsElasticBlockStore":{"description":"awsElasticBlockStore represents an AWS Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nDeprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree\nawsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"string"},"partition":{"description":"partition is the partition in the volume that you want to mount.\nIf omitted, the default is to mount by volume name.\nExamples: For volume /dev/sda1, you specify the partition as \"1\".\nSimilarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).","type":"integer","format":"int32"},"readOnly":{"description":"readOnly value true will force the readOnly setting in VolumeMounts.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"boolean"},"volumeID":{"description":"volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"string"}}},"azureDisk":{"description":"azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.\nDeprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type\nare redirected to the disk.csi.azure.com CSI driver.","type":"object","required":["diskName","diskURI"],"properties":{"cachingMode":{"description":"cachingMode is the Host Caching mode: None, Read Only, Read Write.","type":"string"},"diskName":{"description":"diskName is the Name of the data disk in the blob storage","type":"string"},"diskURI":{"description":"diskURI is the URI of data disk in the blob storage","type":"string"},"fsType":{"description":"fsType is Filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"kind":{"description":"kind expected values are Shared: multiple blob disks per storage account  Dedicated: single blob disk per storage account  Managed: azure managed data disk (only in managed availability set). defaults to shared","type":"string"},"readOnly":{"description":"readOnly Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"}}},"azureFile":{"description":"azureFile represents an Azure File Service mount on the host and bind mount to the pod.\nDeprecated: AzureFile is deprecated. All operations for the in-tree azureFile type\nare redirected to the file.csi.azure.com CSI driver.","type":"object","required":["secretName","shareName"],"properties":{"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretName":{"description":"secretName is the  name of secret that contains Azure Storage Account Name and Key","type":"string"},"shareName":{"description":"shareName is the azure share Name","type":"string"}}},"cephfs":{"description":"cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.\nDeprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.","type":"object","required":["monitors"],"properties":{"monitors":{"description":"monitors is Required: Monitors is a collection of Ceph monitors\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"path":{"description":"path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /","type":"string"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"boolean"},"secretFile":{"description":"secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"},"secretRef":{"description":"secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"description":"user is optional: User is the rados user name, default is admin\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"}}},"cinder":{"description":"cinder represents a cinder volume attached and mounted on kubelets host machine.\nDeprecated: Cinder is deprecated. All operations for the in-tree cinder type\nare redirected to the cinder.csi.openstack.org CSI driver.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"boolean"},"secretRef":{"description":"secretRef is optional: points to a secret object containing parameters used to connect\nto OpenStack.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeID":{"description":"volumeID used to identify the volume in cinder.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"}}},"configMap":{"description":"configMap represents a configMap that should populate this volume","type":"object","properties":{"defaultMode":{"description":"defaultMode is optional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDefaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced\nConfigMap will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the ConfigMap,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional specify whether the ConfigMap or its keys must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"csi":{"description":"csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.","type":"object","required":["driver"],"properties":{"driver":{"description":"driver is the name of the CSI driver that handles this volume.\nConsult with your admin for the correct name as registered in the cluster.","type":"string"},"fsType":{"description":"fsType to mount. Ex. \"ext4\", \"xfs\", \"ntfs\".\nIf not provided, the empty value is passed to the associated CSI driver\nwhich will determine the default filesystem to apply.","type":"string"},"nodePublishSecretRef":{"description":"nodePublishSecretRef is a reference to the secret object containing\nsensitive information to pass to the CSI driver to complete the CSI\nNodePublishVolume and NodeUnpublishVolume calls.\nThis field is optional, and  may be empty if no secret is required. If the\nsecret object contains more than one secret, all secret references are passed.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"readOnly":{"description":"readOnly specifies a read-only configuration for the volume.\nDefaults to false (read/write).","type":"boolean"},"volumeAttributes":{"description":"volumeAttributes stores driver-specific properties that are passed to the CSI\ndriver. Consult your driver's documentation for supported values.","type":"object","additionalProperties":{"type":"string"}}}},"downwardAPI":{"description":"downwardAPI represents downward API about the pod that should populate this volume","type":"object","properties":{"defaultMode":{"description":"Optional: mode bits to use on created files by default. Must be a\nOptional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDefaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"Items is a list of downward API volume file","type":"array","items":{"description":"DownwardAPIVolumeFile represents information to create the file containing the pod field","type":"object","required":["path"],"properties":{"fieldRef":{"description":"Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"description":"Optional: mode bits used to set permissions on this file, must be an octal value\nbetween 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'","type":"string"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"emptyDir":{"description":"emptyDir represents a temporary directory that shares a pod's lifetime.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","type":"object","properties":{"medium":{"description":"medium represents what type of storage medium should back this directory.\nThe default is \"\" which means to use the node's default medium.\nMust be an empty string (default) or Memory.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","type":"string"},"sizeLimit":{"description":"sizeLimit is the total amount of local storage required for this EmptyDir volume.\nThe size limit is also applicable for memory medium.\nThe maximum usage on memory medium EmptyDir would be the minimum value between\nthe SizeLimit specified here and the sum of memory limits of all containers in a pod.\nThe default is nil which means that the limit is undefined.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"ephemeral":{"description":"ephemeral represents a volume that is handled by a cluster storage driver.\nThe volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,\nand deleted when the pod is removed.\n\nUse this if:\na) the volume is only needed while the pod runs,\nb) features of normal volumes like restoring from snapshot or capacity\n   tracking are needed,\nc) the storage driver is specified through a storage class, and\nd) the storage driver supports dynamic volume provisioning through\n   a PersistentVolumeClaim (see EphemeralVolumeSource for more\n   information on the connection between this volume type\n   and PersistentVolumeClaim).\n\nUse PersistentVolumeClaim or one of the vendor-specific\nAPIs for volumes that persist for longer than the lifecycle\nof an individual pod.\n\nUse CSI for light-weight local ephemeral volumes if the CSI driver is meant to\nbe used that way - see the documentation of the driver for\nmore information.\n\nA pod can use both types of ephemeral volumes and\npersistent volumes at the same time.","type":"object","properties":{"volumeClaimTemplate":{"description":"Will be used to create a stand-alone PVC to provision the volume.\nThe pod in which this EphemeralVolumeSource is embedded will be the\nowner of the PVC, i.e. the PVC will be deleted together with the\npod.  The name of the PVC will be `<pod name>-<volume name>` where\n`<volume name>` is the name from the `PodSpec.Volumes` array\nentry. Pod validation will reject the pod if the concatenated name\nis not valid for a PVC (for example, too long).\n\nAn existing PVC with that name that is not owned by the pod\nwill *not* be used for the pod to avoid using an unrelated\nvolume by mistake. Starting the pod is then blocked until\nthe unrelated PVC is removed. If such a pre-created PVC is\nmeant to be used by the pod, the PVC has to updated with an\nowner reference to the pod once the pod exists. Normally\nthis should not be necessary, but it may be useful when\nmanually reconstructing a broken cluster.\n\nThis field is read-only and no changes will be made by Kubernetes\nto the PVC after it has been created.\n\nRequired, must not be nil.","type":"object","required":["spec"],"properties":{"metadata":{"description":"May contain labels and annotations that will be copied into the PVC\nwhen creating it. No other fields are allowed and will be rejected during\nvalidation.","type":"object"},"spec":{"description":"The specification for the PersistentVolumeClaim. The entire content is\ncopied unchanged into the PVC that gets created from this\ntemplate. The same fields as in a PersistentVolumeClaim\nare also valid here.","type":"object","properties":{"accessModes":{"description":"accessModes contains the desired access modes the volume should have.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"description":"dataSource field can be used to specify either:\n* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)\n* An existing PVC (PersistentVolumeClaim)\nIf the provisioner or an external controller can support the specified data source,\nit will create a new volume based on the contents of the specified data source.\nWhen the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,\nand dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.\nIf the namespace is specified, then dataSourceRef will not be copied to dataSource.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"description":"dataSourceRef specifies the object from which to populate the volume with data, if a non-empty\nvolume is desired. This may be any object from a non-empty API group (non\ncore object) or a PersistentVolumeClaim object.\nWhen this field is specified, volume binding will only succeed if the type of\nthe specified object matches some installed volume populator or dynamic\nprovisioner.\nThis field will replace the functionality of the dataSource field and as such\nif both fields are non-empty, they must have the same value. For backwards\ncompatibility, when namespace isn't specified in dataSourceRef,\nboth fields (dataSource and dataSourceRef) will be set to the same\nvalue automatically if one of them is empty and the other is non-empty.\nWhen namespace is specified in dataSourceRef,\ndataSource isn't set to the same value and must be empty.\nThere are three important differences between dataSource and dataSourceRef:\n* While dataSource only allows two specific types of objects, dataSourceRef\n  allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n  preserves all values, and generates an error if a disallowed value is\n  specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n  in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.\n(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"},"namespace":{"description":"Namespace is the namespace of resource being referenced\nNote that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.\n(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"string"}}},"resources":{"description":"resources represents the minimum resources the volume should have.\nIf RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements\nthat are lower than previous value but must still be higher than capacity recorded in the\nstatus field of the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources","type":"object","properties":{"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"description":"selector is a label query over volumes to consider for binding.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"description":"storageClassName is the name of the StorageClass required by the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1","type":"string"},"volumeAttributesClassName":{"description":"volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string or nil value indicates that no\nVolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,\nthis field can be reset to its previous value (including nil) to cancel the modification.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/","type":"string"},"volumeMode":{"description":"volumeMode defines what type of volume is required by the claim.\nValue of Filesystem is implied when not included in claim spec.","type":"string"},"volumeName":{"description":"volumeName is the binding reference to the PersistentVolume backing this claim.","type":"string"}}}}}}},"fc":{"description":"fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.","type":"object","properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"lun":{"description":"lun is Optional: FC target lun number","type":"integer","format":"int32"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"targetWWNs":{"description":"targetWWNs is Optional: FC target worldwide names (WWNs)","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"wwids":{"description":"wwids Optional: FC volume world wide identifiers (wwids)\nEither wwids or combination of targetWWNs and lun must be set, but not both simultaneously.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"flexVolume":{"description":"flexVolume represents a generic volume resource that is\nprovisioned/attached using an exec based plugin.\nDeprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.","type":"object","required":["driver"],"properties":{"driver":{"description":"driver is the name of the driver to use for this volume.","type":"string"},"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script.","type":"string"},"options":{"description":"options is Optional: this field holds extra command options if any.","type":"object","additionalProperties":{"type":"string"}},"readOnly":{"description":"readOnly is Optional: defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef is Optional: secretRef is reference to the secret object containing\nsensitive information to pass to the plugin scripts. This may be\nempty if no secret object is specified. If the secret object\ncontains more than one secret, all secrets are passed to the plugin\nscripts.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}}},"flocker":{"description":"flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.\nDeprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.","type":"object","properties":{"datasetName":{"description":"datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker\nshould be considered as deprecated","type":"string"},"datasetUUID":{"description":"datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset","type":"string"}}},"gcePersistentDisk":{"description":"gcePersistentDisk represents a GCE Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nDeprecated: GCEPersistentDisk is deprecated. All operations for the in-tree\ngcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"object","required":["pdName"],"properties":{"fsType":{"description":"fsType is filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"string"},"partition":{"description":"partition is the partition in the volume that you want to mount.\nIf omitted, the default is to mount by volume name.\nExamples: For volume /dev/sda1, you specify the partition as \"1\".\nSimilarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"integer","format":"int32"},"pdName":{"description":"pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"boolean"}}},"gitRepo":{"description":"gitRepo represents a git repository at a particular revision.\nDeprecated: GitRepo is deprecated. To provision a container with a git repo, mount an\nEmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir\ninto the Pod's container.","type":"object","required":["repository"],"properties":{"directory":{"description":"directory is the target directory name.\nMust not contain or start with '..'.  If '.' is supplied, the volume directory will be the\ngit repository.  Otherwise, if specified, the volume will contain the git repository in\nthe subdirectory with the given name.","type":"string"},"repository":{"description":"repository is the URL","type":"string"},"revision":{"description":"revision is the commit hash for the specified revision.","type":"string"}}},"glusterfs":{"description":"glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.\nDeprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.","type":"object","required":["endpoints","path"],"properties":{"endpoints":{"description":"endpoints is the endpoint name that details Glusterfs topology.","type":"string"},"path":{"description":"path is the Glusterfs volume path.\nMore info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"string"},"readOnly":{"description":"readOnly here will force the Glusterfs volume to be mounted with read-only permissions.\nDefaults to false.\nMore info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"boolean"}}},"hostPath":{"description":"hostPath represents a pre-existing file or directory on the host\nmachine that is directly exposed to the container. This is generally\nused for system agents or other privileged things that are allowed\nto see the host machine. Most containers will NOT need this.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"object","required":["path"],"properties":{"path":{"description":"path of the directory on the host.\nIf the path is a symlink, it will follow the link to the real path.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"string"},"type":{"description":"type for HostPath Volume\nDefaults to \"\"\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"string"}}},"image":{"description":"image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.\nThe volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.\n- Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.\n- IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.\nA failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.\nThe types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.\nThe OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.\nThe volume will be mounted read-only (ro) and non-executable files (noexec).\nSub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.\nThe field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.","type":"object","properties":{"pullPolicy":{"description":"Policy for pulling OCI objects. Possible values are:\nAlways: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.\nNever: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.\nIfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\nDefaults to Always if :latest tag is specified, or IfNotPresent otherwise.","type":"string"},"reference":{"description":"Required: Image or artifact reference to be used.\nBehaves in the same way as pod.spec.containers[*].image.\nPull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.\nMore info: https://kubernetes.io/docs/concepts/containers/images\nThis field is optional to allow higher level config management to default or override\ncontainer images in workload controllers like Deployments and StatefulSets.","type":"string"}}},"iscsi":{"description":"iscsi represents an ISCSI Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi","type":"object","required":["iqn","lun","targetPortal"],"properties":{"chapAuthDiscovery":{"description":"chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication","type":"boolean"},"chapAuthSession":{"description":"chapAuthSession defines whether support iSCSI Session CHAP authentication","type":"boolean"},"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi","type":"string"},"initiatorName":{"description":"initiatorName is the custom iSCSI Initiator Name.\nIf initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface\n<target portal>:<volume name> will be created for the connection.","type":"string"},"iqn":{"description":"iqn is the target iSCSI Qualified Name.","type":"string"},"iscsiInterface":{"description":"iscsiInterface is the interface Name that uses an iSCSI transport.\nDefaults to 'default' (tcp).","type":"string"},"lun":{"description":"lun represents iSCSI Target Lun number.","type":"integer","format":"int32"},"portals":{"description":"portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port\nis other than default (typically TCP ports 860 and 3260).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false.","type":"boolean"},"secretRef":{"description":"secretRef is the CHAP Secret for iSCSI target and initiator authentication","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"targetPortal":{"description":"targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port\nis other than default (typically TCP ports 860 and 3260).","type":"string"}}},"name":{"description":"name of the volume.\nMust be a DNS_LABEL and unique within the pod.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"nfs":{"description":"nfs represents an NFS mount on the host that shares a pod's lifetime\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"object","required":["path","server"],"properties":{"path":{"description":"path that is exported by the NFS server.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"string"},"readOnly":{"description":"readOnly here will force the NFS export to be mounted with read-only permissions.\nDefaults to false.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"boolean"},"server":{"description":"server is the hostname or IP address of the NFS server.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"string"}}},"persistentVolumeClaim":{"description":"persistentVolumeClaimVolumeSource represents a reference to a\nPersistentVolumeClaim in the same namespace.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"object","required":["claimName"],"properties":{"claimName":{"description":"claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"string"},"readOnly":{"description":"readOnly Will force the ReadOnly setting in VolumeMounts.\nDefault false.","type":"boolean"}}},"photonPersistentDisk":{"description":"photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.\nDeprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.","type":"object","required":["pdID"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"pdID":{"description":"pdID is the ID that identifies Photon Controller persistent disk","type":"string"}}},"portworxVolume":{"description":"portworxVolume represents a portworx volume attached and mounted on kubelets host machine.\nDeprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type\nare redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate\nis on.","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fSType represents the filesystem type to mount\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"volumeID":{"description":"volumeID uniquely identifies a Portworx volume","type":"string"}}},"projected":{"description":"projected items for all in one resources secrets, configmaps, and downward API","type":"object","properties":{"defaultMode":{"description":"defaultMode are the mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"sources":{"description":"sources is the list of volume projections. Each entry in this list\nhandles one source.","type":"array","items":{"description":"Projection that may be projected along with other supported volume types.\nExactly one of these fields must be set.","type":"object","properties":{"clusterTrustBundle":{"description":"ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field\nof ClusterTrustBundle objects in an auto-updating file.\n\nAlpha, gated by the ClusterTrustBundleProjection feature gate.\n\nClusterTrustBundle objects can either be selected by name, or by the\ncombination of signer name and a label selector.\n\nKubelet performs aggressive normalization of the PEM contents written\ninto the pod filesystem.  Esoteric PEM features such as inter-block\ncomments and block headers are stripped.  Certificates are deduplicated.\nThe ordering of certificates within the file is arbitrary, and Kubelet\nmay change the order over time.","type":"object","required":["path"],"properties":{"labelSelector":{"description":"Select all ClusterTrustBundles that match this label selector.  Only has\neffect if signerName is set.  Mutually-exclusive with name.  If unset,\ninterpreted as \"match nothing\".  If set but empty, interpreted as \"match\neverything\".","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"name":{"description":"Select a single ClusterTrustBundle by object name.  Mutually-exclusive\nwith signerName and labelSelector.","type":"string"},"optional":{"description":"If true, don't block pod startup if the referenced ClusterTrustBundle(s)\naren't available.  If using name, then the named ClusterTrustBundle is\nallowed not to exist.  If using signerName, then the combination of\nsignerName and labelSelector is allowed to match zero\nClusterTrustBundles.","type":"boolean"},"path":{"description":"Relative path from the volume root to write the bundle.","type":"string"},"signerName":{"description":"Select all ClusterTrustBundles that match this signer name.\nMutually-exclusive with name.  The contents of all selected\nClusterTrustBundles will be unified and deduplicated.","type":"string"}}},"configMap":{"description":"configMap information about the configMap data to project","type":"object","properties":{"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced\nConfigMap will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the ConfigMap,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional specify whether the ConfigMap or its keys must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"downwardAPI":{"description":"downwardAPI information about the downwardAPI data to project","type":"object","properties":{"items":{"description":"Items is a list of DownwardAPIVolume file","type":"array","items":{"description":"DownwardAPIVolumeFile represents information to create the file containing the pod field","type":"object","required":["path"],"properties":{"fieldRef":{"description":"Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"description":"Optional: mode bits used to set permissions on this file, must be an octal value\nbetween 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'","type":"string"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"podCertificate":{"description":"Projects an auto-rotating credential bundle (private key and certificate\nchain) that the pod can use either as a TLS client or server.\n\nKubelet generates a private key and uses it to send a\nPodCertificateRequest to the named signer.  Once the signer approves the\nrequest and issues a certificate chain, Kubelet writes the key and\ncertificate chain to the pod filesystem.  The pod does not start until\ncertificates have been issued for each podCertificate projected volume\nsource in its spec.\n\nKubelet will begin trying to rotate the certificate at the time indicated\nby the signer using the PodCertificateRequest.Status.BeginRefreshAt\ntimestamp.\n\nKubelet can write a single file, indicated by the credentialBundlePath\nfield, or separate files, indicated by the keyPath and\ncertificateChainPath fields.\n\nThe credential bundle is a single file in PEM format.  The first PEM\nentry is the private key (in PKCS#8 format), and the remaining PEM\nentries are the certificate chain issued by the signer (typically,\nsigners will return their certificate chain in leaf-to-root order).\n\nPrefer using the credential bundle format, since your application code\ncan read it atomically.  If you use keyPath and certificateChainPath,\nyour application must make two separate file reads. If these coincide\nwith a certificate rotation, it is possible that the private key and leaf\ncertificate you read may not correspond to each other.  Your application\nwill need to check for this condition, and re-read until they are\nconsistent.\n\nThe named signer controls chooses the format of the certificate it\nissues; consult the signer implementation's documentation to learn how to\nuse the certificates it issues.","type":"object","required":["keyType","signerName"],"properties":{"certificateChainPath":{"description":"Write the certificate chain at this path in the projected volume.\n\nMost applications should use credentialBundlePath.  When using keyPath\nand certificateChainPath, your application needs to check that the key\nand leaf certificate are consistent, because it is possible to read the\nfiles mid-rotation.","type":"string"},"credentialBundlePath":{"description":"Write the credential bundle at this path in the projected volume.\n\nThe credential bundle is a single file that contains multiple PEM blocks.\nThe first PEM block is a PRIVATE KEY block, containing a PKCS#8 private\nkey.\n\nThe remaining blocks are CERTIFICATE blocks, containing the issued\ncertificate chain from the signer (leaf and any intermediates).\n\nUsing credentialBundlePath lets your Pod's application code make a single\natomic read that retrieves a consistent key and certificate chain.  If you\nproject them to separate files, your application code will need to\nadditionally check that the leaf certificate was issued to the key.","type":"string"},"keyPath":{"description":"Write the key at this path in the projected volume.\n\nMost applications should use credentialBundlePath.  When using keyPath\nand certificateChainPath, your application needs to check that the key\nand leaf certificate are consistent, because it is possible to read the\nfiles mid-rotation.","type":"string"},"keyType":{"description":"The type of keypair Kubelet will generate for the pod.\n\nValid values are \"RSA3072\", \"RSA4096\", \"ECDSAP256\", \"ECDSAP384\",\n\"ECDSAP521\", and \"ED25519\".","type":"string"},"maxExpirationSeconds":{"description":"maxExpirationSeconds is the maximum lifetime permitted for the\ncertificate.\n\nKubelet copies this value verbatim into the PodCertificateRequests it\ngenerates for this projection.\n\nIf omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver\nwill reject values shorter than 3600 (1 hour).  The maximum allowable\nvalue is 7862400 (91 days).\n\nThe signer implementation is then free to issue a certificate with any\nlifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600\nseconds (1 hour).  This constraint is enforced by kube-apiserver.\n`kubernetes.io` signers will never issue certificates with a lifetime\nlonger than 24 hours.","type":"integer","format":"int32"},"signerName":{"description":"Kubelet's generated CSRs will be addressed to this signer.","type":"string"}}},"secret":{"description":"secret information about the secret data to project","type":"object","properties":{"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced\nSecret will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the Secret,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional field specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"serviceAccountToken":{"description":"serviceAccountToken is information about the serviceAccountToken data to project","type":"object","required":["path"],"properties":{"audience":{"description":"audience is the intended audience of the token. A recipient of a token\nmust identify itself with an identifier specified in the audience of the\ntoken, and otherwise should reject the token. The audience defaults to the\nidentifier of the apiserver.","type":"string"},"expirationSeconds":{"description":"expirationSeconds is the requested duration of validity of the service\naccount token. As the token approaches expiration, the kubelet volume\nplugin will proactively rotate the service account token. The kubelet will\nstart trying to rotate the token if the token is older than 80 percent of\nits time to live or if the token is older than 24 hours.Defaults to 1 hour\nand must be at least 10 minutes.","type":"integer","format":"int64"},"path":{"description":"path is the path relative to the mount point of the file to project the\ntoken into.","type":"string"}}}}},"x-kubernetes-list-type":"atomic"}}},"quobyte":{"description":"quobyte represents a Quobyte mount on the host that shares a pod's lifetime.\nDeprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.","type":"object","required":["registry","volume"],"properties":{"group":{"description":"group to map volume access to\nDefault is no group","type":"string"},"readOnly":{"description":"readOnly here will force the Quobyte volume to be mounted with read-only permissions.\nDefaults to false.","type":"boolean"},"registry":{"description":"registry represents a single or multiple Quobyte Registry services\nspecified as a string as host:port pair (multiple entries are separated with commas)\nwhich acts as the central registry for volumes","type":"string"},"tenant":{"description":"tenant owning the given Quobyte volume in the Backend\nUsed with dynamically provisioned Quobyte volumes, value is set by the plugin","type":"string"},"user":{"description":"user to map volume access to\nDefaults to serivceaccount user","type":"string"},"volume":{"description":"volume is a string that references an already created Quobyte volume by name.","type":"string"}}},"rbd":{"description":"rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.\nDeprecated: RBD is deprecated and the in-tree rbd type is no longer supported.","type":"object","required":["image","monitors"],"properties":{"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#rbd","type":"string"},"image":{"description":"image is the rados image name.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"keyring":{"description":"keyring is the path to key ring for RBDUser.\nDefault is /etc/ceph/keyring.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"monitors":{"description":"monitors is a collection of Ceph monitors.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"pool":{"description":"pool is the rados pool name.\nDefault is rbd.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"boolean"},"secretRef":{"description":"secretRef is name of the authentication secret for RBDUser. If provided\noverrides keyring.\nDefault is nil.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"description":"user is the rados user name.\nDefault is admin.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"}}},"scaleIO":{"description":"scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.\nDeprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.","type":"object","required":["gateway","secretRef","system"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\".\nDefault is \"xfs\".","type":"string"},"gateway":{"description":"gateway is the host address of the ScaleIO API Gateway.","type":"string"},"protectionDomain":{"description":"protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.","type":"string"},"readOnly":{"description":"readOnly Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef references to the secret for ScaleIO user and other\nsensitive information. If this is not provided, Login operation will fail.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"sslEnabled":{"description":"sslEnabled Flag enable/disable SSL communication with Gateway, default false","type":"boolean"},"storageMode":{"description":"storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.\nDefault is ThinProvisioned.","type":"string"},"storagePool":{"description":"storagePool is the ScaleIO Storage Pool associated with the protection domain.","type":"string"},"system":{"description":"system is the name of the storage system as configured in ScaleIO.","type":"string"},"volumeName":{"description":"volumeName is the name of a volume already created in the ScaleIO system\nthat is associated with this volume source.","type":"string"}}},"secret":{"description":"secret represents a secret that should populate this volume.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#secret","type":"object","properties":{"defaultMode":{"description":"defaultMode is Optional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values\nfor mode bits. Defaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"items If unspecified, each key-value pair in the Data field of the referenced\nSecret will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the Secret,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"optional":{"description":"optional field specify whether the Secret or its keys must be defined","type":"boolean"},"secretName":{"description":"secretName is the name of the secret in the pod's namespace to use.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#secret","type":"string"}}},"storageos":{"description":"storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.\nDeprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.","type":"object","properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef specifies the secret to use for obtaining the StorageOS API\ncredentials.  If not specified, default values will be attempted.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeName":{"description":"volumeName is the human-readable name of the StorageOS volume.  Volume\nnames are only unique within a namespace.","type":"string"},"volumeNamespace":{"description":"volumeNamespace specifies the scope of the volume within StorageOS.  If no\nnamespace is specified then the Pod's namespace will be used.  This allows the\nKubernetes name scoping to be mirrored within StorageOS for tighter integration.\nSet VolumeName to any name to override the default behaviour.\nSet to \"default\" if you are not using namespaces within StorageOS.\nNamespaces that do not pre-exist within StorageOS will be created.","type":"string"}}},"vsphereVolume":{"description":"vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.\nDeprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type\nare redirected to the csi.vsphere.vmware.com CSI driver.","type":"object","required":["volumePath"],"properties":{"fsType":{"description":"fsType is filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"storagePolicyID":{"description":"storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.","type":"string"},"storagePolicyName":{"description":"storagePolicyName is the storage Policy Based Management (SPBM) profile name.","type":"string"},"volumePath":{"description":"volumePath is the path that identifies vSphere volume vmdk","type":"string"}}}}}},"web":{"description":"web defines the web command line flags when starting Alertmanager.","type":"object","properties":{"getConcurrency":{"description":"getConcurrency defines the maximum number of GET requests processed concurrently. This corresponds to the\nAlertmanager's `--web.get-concurrency` flag.","type":"integer","format":"int32"},"httpConfig":{"description":"httpConfig defines HTTP parameters for web server.","type":"object","properties":{"headers":{"description":"headers defines a list of headers that can be added to HTTP responses.","type":"object","properties":{"contentSecurityPolicy":{"description":"contentSecurityPolicy defines the Content-Security-Policy header to HTTP responses.\nUnset if blank.","type":"string"},"strictTransportSecurity":{"description":"strictTransportSecurity defines the Strict-Transport-Security header to HTTP responses.\nUnset if blank.\nPlease make sure that you use this with care as this header might force\nbrowsers to load Prometheus and the other applications hosted on the same\ndomain and subdomains over HTTPS.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security","type":"string"},"xContentTypeOptions":{"description":"xContentTypeOptions defines the X-Content-Type-Options header to HTTP responses.\nUnset if blank. Accepted value is nosniff.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options","type":"string","enum":["","NoSniff"]},"xFrameOptions":{"description":"xFrameOptions defines the X-Frame-Options header to HTTP responses.\nUnset if blank. Accepted values are deny and sameorigin.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options","type":"string","enum":["","Deny","SameOrigin"]},"xXSSProtection":{"description":"xXSSProtection defines the X-XSS-Protection header to all responses.\nUnset if blank.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection","type":"string"}}},"http2":{"description":"http2 enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.\nWhen TLSConfig is not configured, HTTP/2 will be disabled.\nWhenever the value of the field changes, a rolling update will be triggered.","type":"boolean"}}},"timeout":{"description":"timeout for HTTP requests. This corresponds to the Alertmanager's\n`--web.timeout` flag.","type":"integer","format":"int32"},"tlsConfig":{"description":"tlsConfig defines the TLS parameters for HTTPS.","type":"object","properties":{"cert":{"description":"cert defines the Secret or ConfigMap containing the TLS certificate for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `certFile`.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the TLS certificate file in the container for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `cert`.","type":"string"},"cipherSuites":{"description":"cipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.\n\nIf not defined, the Go default cipher suites are used.\nAvailable cipher suites are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#pkg-constants","type":"array","items":{"type":"string"}},"clientAuthType":{"description":"clientAuthType defines the server policy for client TLS authentication.\n\nFor more detail on clientAuth options:\nhttps://golang.org/pkg/crypto/tls/#ClientAuthType","type":"string"},"clientCAFile":{"description":"clientCAFile defines the path to the CA certificate file for client certificate authentication to\nthe server.\n\nIt is mutually exclusive with `client_ca`.","type":"string"},"client_ca":{"description":"client_ca defines the Secret or ConfigMap containing the CA certificate for client certificate\nauthentication to the server.\n\nIt is mutually exclusive with `clientCAFile`.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"curvePreferences":{"description":"curvePreferences defines elliptic curves that will be used in an ECDHE handshake, in preference\norder.\n\nAvailable curves are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#CurveID","type":"array","items":{"type":"string"}},"keyFile":{"description":"keyFile defines the path to the TLS private key file in the container for the web server.\n\nIf defined, either `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keySecret`.","type":"string"},"keySecret":{"description":"keySecret defines the secret containing the TLS private key for the web server.\n\nEither `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keyFile`.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the Maximum TLS version that is acceptable.","type":"string"},"minVersion":{"description":"minVersion defines the minimum TLS version that is acceptable.","type":"string"},"preferServerCipherSuites":{"description":"preferServerCipherSuites defines whether the server selects the client's most preferred cipher\nsuite, or the server's most preferred cipher suite.\n\nIf true then the server's preference, as expressed in\nthe order of elements in cipherSuites, is used.","type":"boolean"}}}}}}},"status":{"description":"status defines the most recent observed status of the Alertmanager cluster. Read-only.\nMore info:\nhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"availableReplicas":{"description":"availableReplicas defines the total number of available pods (ready for at least minReadySeconds)\ntargeted by this Alertmanager cluster.","type":"integer","format":"int32"},"conditions":{"description":"conditions defines the current state of the Alertmanager object.","type":"array","items":{"description":"Condition represents the state of the resources associated with the\nPrometheus, Alertmanager or ThanosRuler resource.","type":"object","required":["lastTransitionTime","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the time of the last update to the current status property.","type":"string","format":"date-time"},"message":{"description":"message defines human-readable message indicating details for the condition's last transition.","type":"string"},"observedGeneration":{"description":"observedGeneration defines the .metadata.generation that the\ncondition was set based upon. For instance, if `.metadata.generation` is\ncurrently 12, but the `.status.conditions[].observedGeneration` is 9, the\ncondition is out of date with respect to the current state of the\ninstance.","type":"integer","format":"int64"},"reason":{"description":"reason for the condition's last transition.","type":"string"},"status":{"description":"status of the condition.","type":"string","minLength":1},"type":{"description":"type of the condition being reported.","type":"string","minLength":1}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"paused":{"description":"paused defines whether any actions on the underlying managed objects are\nbeing performed. Only delete actions will be performed.","type":"boolean"},"replicas":{"description":"replicas defines the total number of non-terminated pods targeted by this Alertmanager\nobject (their labels match the selector).","type":"integer","format":"int32"},"selector":{"description":"selector used to match the pods targeted by this Alertmanager object.","type":"string"},"unavailableReplicas":{"description":"unavailableReplicas defines the total number of unavailable pods targeted by this Alertmanager object.","type":"integer","format":"int32"},"updatedReplicas":{"description":"updatedReplicas defines the total number of non-terminated pods targeted by this Alertmanager\nobject that have the desired version spec.","type":"integer","format":"int32"}}}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"Alertmanager","version":"v1"}],"title":"com.coreos.monitoring.v1.Alertmanager"},"com.coreos.monitoring.v1.AlertmanagerList":{"description":"AlertmanagerList is a list of Alertmanager","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of alertmanagers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.coreos.monitoring.v1.Alertmanager"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"AlertmanagerList","version":"v1"}],"title":"com.coreos.monitoring.v1.AlertmanagerList"},"com.coreos.monitoring.v1.PodMonitor":{"description":"The `PodMonitor` custom resource definition (CRD) defines how `Prometheus` and `PrometheusAgent` can scrape metrics from a group of pods.\nAmong other things, it allows to specify:\n* The pods to scrape via label selectors.\n* The container ports to scrape.\n* Authentication credentials to use.\n* Target and metric relabeling.\n\n`Prometheus` and `PrometheusAgent` objects select `PodMonitor` objects using label and namespace selectors.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the specification of desired Pod selection for target discovery by Prometheus.","type":"object","required":["selector"],"properties":{"attachMetadata":{"description":"attachMetadata defines additional metadata which is added to the\ndiscovered targets.\n\nIt requires Prometheus >= v2.35.0.","type":"object","properties":{"node":{"description":"node when set to true, Prometheus attaches node metadata to the discovered\ntargets.\n\nThe Prometheus service account must have the `list` and `watch`\npermissions on the `Nodes` objects.","type":"boolean"}}},"bodySizeLimit":{"description":"bodySizeLimit when defined specifies a job level limit on the size\nof uncompressed response body that will be accepted by Prometheus.\n\nIt requires Prometheus >= v2.28.0.","type":"string","pattern":"(^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$"},"convertClassicHistogramsToNHCB":{"description":"convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native histogram with custom buckets.\nIt requires Prometheus >= v3.0.0.","type":"boolean"},"fallbackScrapeProtocol":{"description":"fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type.\n\nIt requires Prometheus >= v3.0.0.","type":"string","enum":["PrometheusProto","OpenMetricsText0.0.1","OpenMetricsText1.0.0","PrometheusText0.0.4","PrometheusText1.0.0"]},"jobLabel":{"description":"jobLabel defines the label to use to retrieve the job name from.\n`jobLabel` selects the label from the associated Kubernetes `Pod`\nobject which will be used as the `job` label for all metrics.\n\nFor example if `jobLabel` is set to `foo` and the Kubernetes `Pod`\nobject is labeled with `foo: bar`, then Prometheus adds the `job=\"bar\"`\nlabel to all ingested metrics.\n\nIf the value of this field is empty, the `job` label of the metrics\ndefaults to the namespace and name of the PodMonitor object (e.g. `<namespace>/<name>`).","type":"string"},"keepDroppedTargets":{"description":"keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling\nthat will be kept in memory. 0 means no limit.\n\nIt requires Prometheus >= v2.47.0.","type":"integer","format":"int64"},"labelLimit":{"description":"labelLimit defines the per-scrape limit on number of labels that will be accepted for a sample.\n\nIt requires Prometheus >= v2.27.0.","type":"integer","format":"int64"},"labelNameLengthLimit":{"description":"labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample.\n\nIt requires Prometheus >= v2.27.0.","type":"integer","format":"int64"},"labelValueLengthLimit":{"description":"labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample.\n\nIt requires Prometheus >= v2.27.0.","type":"integer","format":"int64"},"namespaceSelector":{"description":"namespaceSelector defines in which namespace(s) Prometheus should discover the pods.\nBy default, the pods are discovered in the same namespace as the `PodMonitor` object but it is possible to select pods across different/all namespaces.","type":"object","properties":{"any":{"description":"any defines the boolean describing whether all namespaces are selected in contrast to a\nlist restricting them.","type":"boolean"},"matchNames":{"description":"matchNames defines the list of namespace names to select from.","type":"array","items":{"type":"string"}}}},"nativeHistogramBucketLimit":{"description":"nativeHistogramBucketLimit defines ff there are more than this many buckets in a native histogram,\nbuckets will be merged to stay within the limit.\nIt requires Prometheus >= v2.45.0.","type":"integer","format":"int64"},"nativeHistogramMinBucketFactor":{"description":"nativeHistogramMinBucketFactor defines if the growth factor of one bucket to the next is smaller than this,\nbuckets will be merged to increase the factor sufficiently.\nIt requires Prometheus >= v2.50.0.","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"podMetricsEndpoints":{"description":"podMetricsEndpoints defines how to scrape metrics from the selected pods.","type":"array","items":{"description":"PodMetricsEndpoint defines an endpoint serving Prometheus metrics to be scraped by\nPrometheus.","type":"object","properties":{"authorization":{"description":"authorization configures the Authorization header credentials used by\nthe client.\n\nCannot be set at the same time as `basicAuth`, `bearerTokenSecret` or `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the Basic Authentication credentials used by the\nclient.\n\nCannot be set at the same time as `authorization`, `bearerTokenSecret` or `oauth2`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines a key of a Secret containing the bearer token\nused by the client for authentication. The secret needs to be in the\nsame namespace as the custom resource and readable by the Prometheus\nOperator.\n\nCannot be set at the same time as `authorization`, `basicAuth` or `oauth2`.\n\nDeprecated: use `authorization` instead.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"filterRunning":{"description":"filterRunning when true, the pods which are not running (e.g. either in Failed or\nSucceeded state) are dropped during the target discovery.\n\nIf unset, the filtering is enabled.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether the client should follow HTTP 3xx\nredirects.","type":"boolean"},"honorLabels":{"description":"honorLabels when true preserves the metric's labels when they collide\nwith the target's labels.","type":"boolean"},"honorTimestamps":{"description":"honorTimestamps defines whether Prometheus preserves the timestamps\nwhen exposed by the target.","type":"boolean"},"interval":{"description":"interval at which Prometheus scrapes the metrics from the target.\n\nIf empty, Prometheus uses the global scrape interval.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"metricRelabelings":{"description":"metricRelabelings defines the relabeling rules to apply to the\nsamples before ingestion.","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 settings used by the client.\n\nIt requires Prometheus >= 2.27.0.\n\nCannot be set at the same time as `authorization`, `basicAuth` or `bearerTokenSecret`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"params":{"description":"params define optional HTTP URL parameters.","type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"path":{"description":"path defines the HTTP path from which to scrape for metrics.\n\nIf empty, Prometheus uses the default value (e.g. `/metrics`).","type":"string"},"port":{"description":"port defines the `Pod` port name which exposes the endpoint.\n\nIf the pod doesn't expose a port with the same name, it will result\nin no targets being discovered.\n\nIf a `Pod` has multiple `Port`s with the same name (which is not\nrecommended), one target instance per unique port number will be\ngenerated.\n\nIt takes precedence over the `portNumber` and `targetPort` fields.","type":"string"},"portNumber":{"description":"portNumber defines the `Pod` port number which exposes the endpoint.\n\nThe `Pod` must declare the specified `Port` in its spec or the\ntarget will be dropped by Prometheus.\n\nThis cannot be used to enable scraping of an undeclared port.\nTo scrape targets on a port which isn't exposed, you need to use\nrelabeling to override the `__address__` label (but beware of\nduplicate targets if the `Pod` has other declared ports).\n\nIn practice Prometheus will select targets for which the\nmatches the target's __meta_kubernetes_pod_container_port_number.","type":"integer","format":"int32","maximum":65535,"minimum":1},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"relabelings":{"description":"relabelings defines the relabeling rules to apply the target's\nmetadata labels.\n\nThe Operator automatically adds relabelings for a few standard Kubernetes fields.\n\nThe original scrape job's name is available via the `__tmp_prometheus_job_name` label.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"scheme":{"description":"scheme defines the HTTP scheme to use for scraping.","type":"string","enum":["http","https","HTTP","HTTPS"]},"scrapeTimeout":{"description":"scrapeTimeout defines the timeout after which Prometheus considers the scrape to be failed.\n\nIf empty, Prometheus uses the global scrape timeout unless it is less\nthan the target's scrape interval value in which the latter is used.\nThe value cannot be greater than the scrape interval otherwise the operator will reject the resource.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"targetPort":{"description":"targetPort defines the name or number of the target port of the `Pod` object behind the Service, the\nport must be specified with container port property.\n\nDeprecated: use 'port' or 'portNumber' instead.","x-kubernetes-int-or-string":true},"tlsConfig":{"description":"tlsConfig defines the TLS configuration used by the client.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"trackTimestampsStaleness":{"description":"trackTimestampsStaleness defines whether Prometheus tracks staleness of\nthe metrics that have an explicit timestamp present in scraped data.\nHas no effect if `honorTimestamps` is false.\n\nIt requires Prometheus >= v2.48.0.","type":"boolean"}}}},"podTargetLabels":{"description":"podTargetLabels defines the labels which are transferred from the\nassociated Kubernetes `Pod` object onto the ingested metrics.","type":"array","items":{"type":"string"}},"sampleLimit":{"description":"sampleLimit defines a per-scrape limit on the number of scraped samples\nthat will be accepted.","type":"integer","format":"int64"},"scrapeClass":{"description":"scrapeClass defines the scrape class to apply.","type":"string","minLength":1},"scrapeClassicHistograms":{"description":"scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram.\nIt requires Prometheus >= v2.45.0.\n\nNotice: `scrapeClassicHistograms` corresponds to the `always_scrape_classic_histograms` field in the Prometheus configuration.","type":"boolean"},"scrapeNativeHistograms":{"description":"scrapeNativeHistograms defines whether to enable scraping of native histograms.\nIt requires Prometheus >= v3.8.0.","type":"boolean"},"scrapeProtocols":{"description":"scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the\nprotocols supported by Prometheus in order of preference (from most to least preferred).\n\nIf unset, Prometheus uses its default value.\n\nIt requires Prometheus >= v2.49.0.","type":"array","items":{"description":"ScrapeProtocol represents a protocol used by Prometheus for scraping metrics.\nSupported values are:\n* `OpenMetricsText0.0.1`\n* `OpenMetricsText1.0.0`\n* `PrometheusProto`\n* `PrometheusText0.0.4`\n* `PrometheusText1.0.0`","type":"string","enum":["PrometheusProto","OpenMetricsText0.0.1","OpenMetricsText1.0.0","PrometheusText0.0.4","PrometheusText1.0.0"]},"x-kubernetes-list-type":"set"},"selector":{"description":"selector defines the label selector to select the Kubernetes `Pod` objects to scrape metrics from.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"selectorMechanism":{"description":"selectorMechanism defines the mechanism used to select the endpoints to scrape.\nBy default, the selection process relies on relabel configurations to filter the discovered targets.\nAlternatively, you can opt in for role selectors, which may offer better efficiency in large clusters.\nWhich strategy is best for your use case needs to be carefully evaluated.\n\nIt requires Prometheus >= v2.17.0.","type":"string","enum":["RelabelConfig","RoleSelector"]},"targetLimit":{"description":"targetLimit defines a limit on the number of scraped targets that will\nbe accepted.","type":"integer","format":"int64"}}},"status":{"description":"status defines the status subresource. It is under active development and is updated only when the\n\"StatusForConfigurationResources\" feature gate is enabled.\n\nMost recent observed status of the PodMonitor. Read-only.\nMore info:\nhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"bindings":{"description":"bindings defines the list of workload resources (Prometheus, PrometheusAgent, ThanosRuler or Alertmanager) which select the configuration resource.","type":"array","items":{"description":"WorkloadBinding is a link between a configuration resource and a workload resource.","type":"object","required":["group","name","namespace","resource"],"properties":{"conditions":{"description":"conditions defines the current state of the configuration resource when bound to the referenced Workload object.","type":"array","items":{"description":"ConfigResourceCondition describes the status of configuration resources linked to Prometheus, PrometheusAgent, Alertmanager or ThanosRuler.","type":"object","required":["lastTransitionTime","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime defines the time of the last update to the current status property.","type":"string","format":"date-time"},"message":{"description":"message defines the human-readable message indicating details for the condition's last transition.","type":"string"},"observedGeneration":{"description":"observedGeneration defines the .metadata.generation that the\ncondition was set based upon. For instance, if `.metadata.generation` is\ncurrently 12, but the `.status.conditions[].observedGeneration` is 9, the\ncondition is out of date with respect to the current state of the object.","type":"integer","format":"int64"},"reason":{"description":"reason for the condition's last transition.","type":"string"},"status":{"description":"status of the condition.","type":"string","minLength":1},"type":{"description":"type of the condition being reported.\nCurrently, only \"Accepted\" is supported.","type":"string","minLength":1,"enum":["Accepted"]}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"group":{"description":"group defines the group of the referenced resource.","type":"string","enum":["monitoring.coreos.com"]},"name":{"description":"name defines the name of the referenced object.","type":"string","minLength":1},"namespace":{"description":"namespace defines the namespace of the referenced object.","type":"string","minLength":1},"resource":{"description":"resource defines the type of resource being referenced (e.g. Prometheus, PrometheusAgent, ThanosRuler or Alertmanager).","type":"string","enum":["prometheuses","prometheusagents","thanosrulers","alertmanagers"]}}},"x-kubernetes-list-map-keys":["group","resource","name","namespace"],"x-kubernetes-list-type":"map"}}}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"PodMonitor","version":"v1"}],"title":"com.coreos.monitoring.v1.PodMonitor"},"com.coreos.monitoring.v1.PodMonitorList":{"description":"PodMonitorList is a list of PodMonitor","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of podmonitors. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.coreos.monitoring.v1.PodMonitor"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"PodMonitorList","version":"v1"}],"title":"com.coreos.monitoring.v1.PodMonitorList"},"com.coreos.monitoring.v1.Probe":{"description":"The `Probe` custom resource definition (CRD) defines how to scrape metrics from prober exporters such as the [blackbox exporter](https://github.com/prometheus/blackbox_exporter).\n\nThe `Probe` resource needs 2 pieces of information:\n* The list of probed addresses which can be defined statically or by discovering Kubernetes Ingress objects.\n* The prober which exposes the availability of probed endpoints (over various protocols such HTTP, TCP, ICMP, ...) as Prometheus metrics.\n\n`Prometheus` and `PrometheusAgent` objects select `Probe` objects using label and namespace selectors.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the specification of desired Ingress selection for target discovery by Prometheus.","type":"object","properties":{"authorization":{"description":"authorization configures the Authorization header credentials used by\nthe client.\n\nCannot be set at the same time as `basicAuth`, `bearerTokenSecret` or `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the Basic Authentication credentials used by the\nclient.\n\nCannot be set at the same time as `authorization`, `bearerTokenSecret` or `oauth2`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines a key of a Secret containing the bearer token\nused by the client for authentication. The secret needs to be in the\nsame namespace as the custom resource and readable by the Prometheus\nOperator.\n\nCannot be set at the same time as `authorization`, `basicAuth` or `oauth2`.\n\nDeprecated: use `authorization` instead.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"convertClassicHistogramsToNHCB":{"description":"convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native histogram with custom buckets.\nIt requires Prometheus >= v3.0.0.","type":"boolean"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"fallbackScrapeProtocol":{"description":"fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type.\n\nIt requires Prometheus >= v3.0.0.","type":"string","enum":["PrometheusProto","OpenMetricsText0.0.1","OpenMetricsText1.0.0","PrometheusText0.0.4","PrometheusText1.0.0"]},"followRedirects":{"description":"followRedirects defines whether the client should follow HTTP 3xx\nredirects.","type":"boolean"},"interval":{"description":"interval at which targets are probed using the configured prober.\nIf not specified Prometheus' global scrape interval is used.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"jobName":{"description":"jobName assigned to scraped metrics by default.","type":"string"},"keepDroppedTargets":{"description":"keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling\nthat will be kept in memory. 0 means no limit.\n\nIt requires Prometheus >= v2.47.0.","type":"integer","format":"int64"},"labelLimit":{"description":"labelLimit defines the per-scrape limit on number of labels that will be accepted for a sample.\nOnly valid in Prometheus versions 2.27.0 and newer.","type":"integer","format":"int64"},"labelNameLengthLimit":{"description":"labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample.\nOnly valid in Prometheus versions 2.27.0 and newer.","type":"integer","format":"int64"},"labelValueLengthLimit":{"description":"labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample.\nOnly valid in Prometheus versions 2.27.0 and newer.","type":"integer","format":"int64"},"metricRelabelings":{"description":"metricRelabelings defines the RelabelConfig to apply to samples before ingestion.","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"module":{"description":"module to use for probing specifying how to probe the target.\nExample module configuring in the blackbox exporter:\nhttps://github.com/prometheus/blackbox_exporter/blob/master/example.yml","type":"string"},"nativeHistogramBucketLimit":{"description":"nativeHistogramBucketLimit defines ff there are more than this many buckets in a native histogram,\nbuckets will be merged to stay within the limit.\nIt requires Prometheus >= v2.45.0.","type":"integer","format":"int64"},"nativeHistogramMinBucketFactor":{"description":"nativeHistogramMinBucketFactor defines if the growth factor of one bucket to the next is smaller than this,\nbuckets will be merged to increase the factor sufficiently.\nIt requires Prometheus >= v2.50.0.","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"oauth2":{"description":"oauth2 defines the OAuth2 settings used by the client.\n\nIt requires Prometheus >= 2.27.0.\n\nCannot be set at the same time as `authorization`, `basicAuth` or `bearerTokenSecret`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"params":{"description":"params defines the list of HTTP query parameters for the scrape.\nPlease note that the `.spec.module` field takes precedence over the `module` parameter from this list when both are defined.\nThe module name must be added using Module under ProbeSpec.","type":"array","minItems":1,"items":{"description":"ProbeParam defines specification of extra parameters for a Probe.","type":"object","required":["name"],"properties":{"name":{"description":"name defines the parameter name","type":"string","minLength":1},"values":{"description":"values defines the parameter values","type":"array","minItems":1,"items":{"type":"string","minLength":1}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"prober":{"description":"prober defines the specification for the prober to use for probing targets.\nThe prober.URL parameter is required. Targets cannot be probed if left empty.","type":"object","required":["url"],"properties":{"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"path":{"description":"path to collect metrics from.\nDefaults to `/probe`.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scheme":{"description":"scheme defines the HTTP scheme to use when scraping the prober.","type":"string","enum":["http","https","HTTP","HTTPS"]},"url":{"description":"url defines the address of the prober.\n\nUnlike what the name indicates, the value should be in the form of\n`address:port` without any scheme which should be specified in the\n`scheme` field.","type":"string","minLength":1}}},"sampleLimit":{"description":"sampleLimit defines per-scrape limit on number of scraped samples that will be accepted.","type":"integer","format":"int64"},"scrapeClass":{"description":"scrapeClass defines the scrape class to apply.","type":"string","minLength":1},"scrapeClassicHistograms":{"description":"scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram.\nIt requires Prometheus >= v2.45.0.\n\nNotice: `scrapeClassicHistograms` corresponds to the `always_scrape_classic_histograms` field in the Prometheus configuration.","type":"boolean"},"scrapeNativeHistograms":{"description":"scrapeNativeHistograms defines whether to enable scraping of native histograms.\nIt requires Prometheus >= v3.8.0.","type":"boolean"},"scrapeProtocols":{"description":"scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the\nprotocols supported by Prometheus in order of preference (from most to least preferred).\n\nIf unset, Prometheus uses its default value.\n\nIt requires Prometheus >= v2.49.0.","type":"array","items":{"description":"ScrapeProtocol represents a protocol used by Prometheus for scraping metrics.\nSupported values are:\n* `OpenMetricsText0.0.1`\n* `OpenMetricsText1.0.0`\n* `PrometheusProto`\n* `PrometheusText0.0.4`\n* `PrometheusText1.0.0`","type":"string","enum":["PrometheusProto","OpenMetricsText0.0.1","OpenMetricsText1.0.0","PrometheusText0.0.4","PrometheusText1.0.0"]},"x-kubernetes-list-type":"set"},"scrapeTimeout":{"description":"scrapeTimeout defines the timeout for scraping metrics from the Prometheus exporter.\nIf not specified, the Prometheus global scrape timeout is used.\nThe value cannot be greater than the scrape interval otherwise the operator will reject the resource.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"targetLimit":{"description":"targetLimit defines a limit on the number of scraped targets that will be accepted.","type":"integer","format":"int64"},"targets":{"description":"targets defines a set of static or dynamically discovered targets to probe.","type":"object","properties":{"ingress":{"description":"ingress defines the Ingress objects to probe and the relabeling\nconfiguration.\nIf `staticConfig` is also defined, `staticConfig` takes precedence.","type":"object","properties":{"namespaceSelector":{"description":"namespaceSelector defines from which namespaces to select Ingress objects.","type":"object","properties":{"any":{"description":"any defines the boolean describing whether all namespaces are selected in contrast to a\nlist restricting them.","type":"boolean"},"matchNames":{"description":"matchNames defines the list of namespace names to select from.","type":"array","items":{"type":"string"}}}},"relabelingConfigs":{"description":"relabelingConfigs to apply to the label set of the target before it gets\nscraped.\nThe original ingress address is available via the\n`__tmp_prometheus_ingress_address` label. It can be used to customize the\nprobed URL.\nThe original scrape job's name is available via the `__tmp_prometheus_job_name` label.\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"selector":{"description":"selector to select the Ingress objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"staticConfig":{"description":"staticConfig defines the static list of targets to probe and the\nrelabeling configuration.\nIf `ingress` is also defined, `staticConfig` takes precedence.\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#static_config.","type":"object","properties":{"labels":{"description":"labels defines all labels assigned to all metrics scraped from the targets.","type":"object","additionalProperties":{"type":"string"}},"relabelingConfigs":{"description":"relabelingConfigs defines relabelings to be apply to the label set of the targets before it gets\nscraped.\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"static":{"description":"static defines the list of hosts to probe.","type":"array","items":{"type":"string"}}}}}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration used by the client.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"status":{"description":"status defines the status subresource. It is under active development and is updated only when the\n\"StatusForConfigurationResources\" feature gate is enabled.\n\nMost recent observed status of the Probe. Read-only.\nMore info:\nhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"bindings":{"description":"bindings defines the list of workload resources (Prometheus, PrometheusAgent, ThanosRuler or Alertmanager) which select the configuration resource.","type":"array","items":{"description":"WorkloadBinding is a link between a configuration resource and a workload resource.","type":"object","required":["group","name","namespace","resource"],"properties":{"conditions":{"description":"conditions defines the current state of the configuration resource when bound to the referenced Workload object.","type":"array","items":{"description":"ConfigResourceCondition describes the status of configuration resources linked to Prometheus, PrometheusAgent, Alertmanager or ThanosRuler.","type":"object","required":["lastTransitionTime","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime defines the time of the last update to the current status property.","type":"string","format":"date-time"},"message":{"description":"message defines the human-readable message indicating details for the condition's last transition.","type":"string"},"observedGeneration":{"description":"observedGeneration defines the .metadata.generation that the\ncondition was set based upon. For instance, if `.metadata.generation` is\ncurrently 12, but the `.status.conditions[].observedGeneration` is 9, the\ncondition is out of date with respect to the current state of the object.","type":"integer","format":"int64"},"reason":{"description":"reason for the condition's last transition.","type":"string"},"status":{"description":"status of the condition.","type":"string","minLength":1},"type":{"description":"type of the condition being reported.\nCurrently, only \"Accepted\" is supported.","type":"string","minLength":1,"enum":["Accepted"]}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"group":{"description":"group defines the group of the referenced resource.","type":"string","enum":["monitoring.coreos.com"]},"name":{"description":"name defines the name of the referenced object.","type":"string","minLength":1},"namespace":{"description":"namespace defines the namespace of the referenced object.","type":"string","minLength":1},"resource":{"description":"resource defines the type of resource being referenced (e.g. Prometheus, PrometheusAgent, ThanosRuler or Alertmanager).","type":"string","enum":["prometheuses","prometheusagents","thanosrulers","alertmanagers"]}}},"x-kubernetes-list-map-keys":["group","resource","name","namespace"],"x-kubernetes-list-type":"map"}}}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"Probe","version":"v1"}],"title":"com.coreos.monitoring.v1.Probe"},"com.coreos.monitoring.v1.ProbeList":{"description":"ProbeList is a list of Probe","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of probes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.coreos.monitoring.v1.Probe"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"ProbeList","version":"v1"}],"title":"com.coreos.monitoring.v1.ProbeList"},"com.coreos.monitoring.v1.Prometheus":{"description":"The `Prometheus` custom resource definition (CRD) defines a desired [Prometheus](https://prometheus.io/docs/prometheus) setup to run in a Kubernetes cluster. It allows to specify many options such as the number of replicas, persistent storage, and Alertmanagers where firing alerts should be sent and many more.\n\nFor each `Prometheus` resource, the Operator deploys one or several `StatefulSet` objects in the same namespace. The number of StatefulSets is equal to the number of shards which is 1 by default.\n\nThe resource defines via label and namespace selectors which `ServiceMonitor`, `PodMonitor`, `Probe` and `PrometheusRule` objects should be associated to the deployed Prometheus instances.\n\nThe Operator continuously reconciles the scrape and rules configuration and a sidecar container running in the Prometheus pods triggers a reload of the configuration when needed.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the specification of the desired behavior of the Prometheus cluster. More info:\nhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"additionalAlertManagerConfigs":{"description":"additionalAlertManagerConfigs defines a key of a Secret containing\nadditional Prometheus Alertmanager configurations. The Alertmanager\nconfigurations are appended to the configuration generated by the\nPrometheus Operator. They must be formatted according to the official\nPrometheus documentation:\n\nhttps://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config\n\nThe user is responsible for making sure that the configurations are valid\n\nNote that using this feature may expose the possibility to break\nupgrades of Prometheus. It is advised to review Prometheus release notes\nto ensure that no incompatible AlertManager configs are going to break\nPrometheus after the upgrade.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"additionalAlertRelabelConfigs":{"description":"additionalAlertRelabelConfigs defines a key of a Secret containing\nadditional Prometheus alert relabel configurations. The alert relabel\nconfigurations are appended to the configuration generated by the\nPrometheus Operator. They must be formatted according to the official\nPrometheus documentation:\n\nhttps://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs\n\nThe user is responsible for making sure that the configurations are valid\n\nNote that using this feature may expose the possibility to break\nupgrades of Prometheus. It is advised to review Prometheus release notes\nto ensure that no incompatible alert relabel configs are going to break\nPrometheus after the upgrade.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"additionalArgs":{"description":"additionalArgs allows setting additional arguments for the 'prometheus' container.\n\nIt is intended for e.g. activating hidden flags which are not supported by\nthe dedicated configuration options yet. The arguments are passed as-is to the\nPrometheus container which may cause issues if they are invalid or not supported\nby the given Prometheus version.\n\nIn case of an argument conflict (e.g. an argument which is already set by the\noperator itself) or when providing an invalid argument, the reconciliation will\nfail and an error will be logged.","type":"array","items":{"description":"Argument as part of the AdditionalArgs list.","type":"object","required":["name"],"properties":{"name":{"description":"name of the argument, e.g. \"scrape.discovery-reload-interval\".","type":"string","minLength":1},"value":{"description":"value defines the argument value, e.g. 30s. Can be empty for name-only arguments (e.g. --storage.tsdb.no-lockfile)","type":"string"}}}},"additionalScrapeConfigs":{"description":"additionalScrapeConfigs allows specifying a key of a Secret containing\nadditional Prometheus scrape configurations. Scrape configurations\nspecified are appended to the configurations generated by the Prometheus\nOperator. Job configurations specified must have the form as specified\nin the official Prometheus documentation:\nhttps://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config.\nAs scrape configs are appended, the user is responsible to make sure it\nis valid. Note that using this feature may expose the possibility to\nbreak upgrades of Prometheus. It is advised to review Prometheus release\nnotes to ensure that no incompatible scrape configs are going to break\nPrometheus after the upgrade.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"affinity":{"description":"affinity defines the Pods' affinity scheduling rules if specified.","type":"object","properties":{"nodeAffinity":{"description":"Describes node affinity scheduling rules for the pod.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node matches the corresponding matchExpressions; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"An empty preferred scheduling term matches all objects with implicit weight 0\n(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).","type":"object","required":["preference","weight"],"properties":{"preference":{"description":"A node selector term, associated with the corresponding weight.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"description":"Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to an update), the system\nmay or may not try to eventually evict the pod from its node.","type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"description":"Required. A list of node selector terms. The terms are ORed.","type":"array","items":{"description":"A null or empty node selector term matches no objects. The requirements of\nthem are ANDed.\nThe TopologySelectorTerm type implements a subset of the NodeSelectorTerm.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"description":"Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"description":"Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe anti-affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling anti-affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and subtracting\n\"weight\" from the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the anti-affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the anti-affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"alerting":{"description":"alerting defines the settings related to Alertmanager.","type":"object","required":["alertmanagers"],"properties":{"alertmanagers":{"description":"alertmanagers endpoints where Prometheus should send alerts to.","type":"array","items":{"description":"AlertmanagerEndpoints defines a selection of a single Endpoints object\ncontaining Alertmanager IPs to fire alerts against.","type":"object","required":["name","port"],"properties":{"alertRelabelings":{"description":"alertRelabelings defines the relabeling configs applied before sending alerts to a specific Alertmanager.\nIt requires Prometheus >= v2.51.0.","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"apiVersion":{"description":"apiVersion defines the version of the Alertmanager API that Prometheus uses to send alerts.\nIt can be \"V1\" or \"V2\".\nThe field has no effect for Prometheus >= v3.0.0 because only the v2 API is supported.","type":"string","enum":["v1","V1","v2","V2"]},"authorization":{"description":"authorization section for Alertmanager.\n\nCannot be set at the same time as `basicAuth`, `bearerTokenFile` or `sigv4`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth configuration for Alertmanager.\n\nCannot be set at the same time as `bearerTokenFile`, `authorization` or `sigv4`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenFile":{"description":"bearerTokenFile defines the file to read bearer token for Alertmanager.\n\nCannot be set at the same time as `basicAuth`, `authorization`, or `sigv4`.\n\nDeprecated: this will be removed in a future release. Prefer using `authorization`.","type":"string"},"enableHttp2":{"description":"enableHttp2 defines whether to enable HTTP2.","type":"boolean"},"name":{"description":"name of the Endpoints object in the namespace.","type":"string","minLength":1},"namespace":{"description":"namespace of the Endpoints object.\n\nIf not set, the object will be discovered in the namespace of the\nPrometheus object.","type":"string","minLength":1},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"pathPrefix":{"description":"pathPrefix defines the prefix for the HTTP path alerts are pushed to.","type":"string","minLength":1},"port":{"description":"port on which the Alertmanager API is exposed.","x-kubernetes-int-or-string":true},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"relabelings":{"description":"relabelings defines the relabel configuration applied to the discovered Alertmanagers.","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"scheme":{"description":"scheme defines the HTTP scheme to use when sending alerts.","type":"string","enum":["http","https","HTTP","HTTPS"]},"sigv4":{"description":"sigv4 defines AWS's Signature Verification 4 for the URL.\n\nIt requires Prometheus >= v2.48.0.\n\nCannot be set at the same time as `basicAuth`, `bearerTokenFile` or `authorization`.","type":"object","properties":{"accessKey":{"description":"accessKey defines the AWS API key. If not specified, the environment variable\n`AWS_ACCESS_KEY_ID` is used.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"profile":{"description":"profile defines the named AWS profile used to authenticate.","type":"string"},"region":{"description":"region defines the AWS region. If blank, the region from the default credentials chain used.","type":"string"},"roleArn":{"description":"roleArn defines the named AWS profile used to authenticate.","type":"string"},"secretKey":{"description":"secretKey defines the AWS API secret. If not specified, the environment\nvariable `AWS_SECRET_ACCESS_KEY` is used.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"useFIPSSTSEndpoint":{"description":"useFIPSSTSEndpoint defines the FIPS mode for the AWS STS endpoint.\nIt requires Prometheus >= v2.54.0.","type":"boolean"}}},"timeout":{"description":"timeout defines a per-target Alertmanager timeout when pushing alerts.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"tlsConfig":{"description":"tlsConfig to use for Alertmanager.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"caFile":{"description":"caFile defines the path to the CA cert in the Prometheus container to use for the targets.","type":"string"},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the client cert file in the Prometheus container for the targets.","type":"string"},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keyFile":{"description":"keyFile defines the path to the client key file in the Prometheus container for the targets.","type":"string"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}}}}},"allowOverlappingBlocks":{"description":"allowOverlappingBlocks enables vertical compaction and vertical query\nmerge in Prometheus.\n\nDeprecated: this flag has no effect for Prometheus >= 2.39.0 where overlapping blocks are enabled by default.","type":"boolean"},"apiserverConfig":{"description":"apiserverConfig allows specifying a host and auth methods to access the\nKuberntees API server.\nIf null, Prometheus is assumed to run inside of the cluster: it will\ndiscover the API servers automatically and use the Pod's CA certificate\nand bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/.","type":"object","required":["host"],"properties":{"authorization":{"description":"authorization section for the API server.\n\nCannot be set at the same time as `basicAuth`, `bearerToken`, or\n`bearerTokenFile`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"credentialsFile":{"description":"credentialsFile defines the file to read a secret from, mutually exclusive with `credentials`.","type":"string"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth configuration for the API server.\n\nCannot be set at the same time as `authorization`, `bearerToken`, or\n`bearerTokenFile`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerToken":{"description":"bearerToken is deprecated: this will be removed in a future release.\n *Warning: this field shouldn't be used because the token value appears\nin clear-text. Prefer using `authorization`.*","type":"string"},"bearerTokenFile":{"description":"bearerTokenFile defines the file to read bearer token for accessing apiserver.\n\nCannot be set at the same time as `basicAuth`, `authorization`, or `bearerToken`.\n\nDeprecated: this will be removed in a future release. Prefer using `authorization`.","type":"string"},"host":{"description":"host defines the Kubernetes API address consisting of a hostname or IP address followed\nby an optional port number.","type":"string"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig to use for the API server.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"caFile":{"description":"caFile defines the path to the CA cert in the Prometheus container to use for the targets.","type":"string"},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the client cert file in the Prometheus container for the targets.","type":"string"},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keyFile":{"description":"keyFile defines the path to the client key file in the Prometheus container for the targets.","type":"string"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"arbitraryFSAccessThroughSMs":{"description":"arbitraryFSAccessThroughSMs when true, ServiceMonitor, PodMonitor and Probe object are forbidden to\nreference arbitrary files on the file system of the 'prometheus'\ncontainer.\nWhen a ServiceMonitor's endpoint specifies a `bearerTokenFile` value\n(e.g.  '/var/run/secrets/kubernetes.io/serviceaccount/token'), a\nmalicious target can get access to the Prometheus service account's\ntoken in the Prometheus' scrape request. Setting\n`spec.arbitraryFSAccessThroughSM` to 'true' would prevent the attack.\nUsers should instead provide the credentials using the\n`spec.bearerTokenSecret` field.","type":"object","properties":{"deny":{"description":"deny prevents service monitors from accessing arbitrary files on the file system.\nWhen true, service monitors cannot use file-based configurations like BearerTokenFile\nthat could potentially access sensitive files. When false (default), such access is allowed.\nSetting this to true enhances security by preventing potential credential theft attacks.","type":"boolean"}}},"automountServiceAccountToken":{"description":"automountServiceAccountToken defines whether a service account token should be automatically mounted in the pod.\nIf the field isn't set, the operator mounts the service account token by default.\n\n**Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.\nIt is possible to use strategic merge patch to project the service account token into the 'prometheus' container.","type":"boolean"},"baseImage":{"description":"baseImage is deprecated: use 'spec.image' instead.","type":"string"},"bodySizeLimit":{"description":"bodySizeLimit defines per-scrape on response body size.\nOnly valid in Prometheus versions 2.45.0 and newer.\n\nNote that the global limit only applies to scrape objects that don't specify an explicit limit value.\nIf you want to enforce a maximum limit for all scrape objects, refer to enforcedBodySizeLimit.","type":"string","pattern":"(^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$"},"configMaps":{"description":"configMaps defines a list of ConfigMaps in the same namespace as the Prometheus\nobject, which shall be mounted into the Prometheus Pods.\nEach ConfigMap is added to the StatefulSet definition as a volume named `configmap-<configmap-name>`.\nThe ConfigMaps are mounted into /etc/prometheus/configmaps/<configmap-name> in the 'prometheus' container.","type":"array","items":{"type":"string"}},"containers":{"description":"containers allows injecting additional containers or modifying operator\ngenerated containers. This can be used to allow adding an authentication\nproxy to the Pods or to change the behavior of an operator generated\ncontainer. Containers described here modify an operator generated\ncontainer if they share the same name and modifications are done via a\nstrategic merge patch.\n\nThe names of containers managed by the operator are:\n* `prometheus`\n* `config-reloader`\n* `thanos-sidecar`\n\nOverriding containers is entirely outside the scope of what the\nmaintainers will support and by doing so, you accept that this behaviour\nmay break at any time without notice.","type":"array","items":{"description":"A single application container that you want to run within a pod.","type":"object","required":["name"],"properties":{"args":{"description":"Arguments to the entrypoint.\nThe container image's CMD is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"description":"Entrypoint array. Not executed within a shell.\nThe container image's ENTRYPOINT is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"description":"List of environment variables to set in the container.\nCannot be updated.","type":"array","items":{"description":"EnvVar represents an environment variable present in a Container.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"value":{"description":"Variable references $(VAR_NAME) are expanded\nusing the previously defined environment variables in the container and\nany service environment variables. If a variable cannot be resolved,\nthe reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.\n\"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\".\nEscaped references will never be expanded, regardless of whether the variable\nexists or not.\nDefaults to \"\".","type":"string"},"valueFrom":{"description":"Source for the environment variable's value. Cannot be used if value is not empty.","type":"object","properties":{"configMapKeyRef":{"description":"Selects a key of a ConfigMap.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"description":"Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"description":"FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.","type":"object","required":["key","path","volumeName"],"properties":{"key":{"description":"The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.","type":"string"},"optional":{"description":"Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.","type":"boolean"},"path":{"description":"The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.","type":"string"},"volumeName":{"description":"The name of the volume mount containing the env file.","type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"description":"Selects a key of a secret in the pod's namespace","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"envFrom":{"description":"List of sources to populate environment variables in the container.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nWhen a key exists in multiple\nsources, the value associated with the last source will take precedence.\nValues defined by an Env with a duplicate key will take precedence.\nCannot be updated.","type":"array","items":{"description":"EnvFromSource represents the source of a set of ConfigMaps or Secrets","type":"object","properties":{"configMapRef":{"description":"The ConfigMap to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"description":"Optional text to prepend to the name of each environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"secretRef":{"description":"The Secret to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"image":{"description":"Container image name.\nMore info: https://kubernetes.io/docs/concepts/containers/images\nThis field is optional to allow higher level config management to default or override\ncontainer images in workload controllers like Deployments and StatefulSets.","type":"string"},"imagePullPolicy":{"description":"Image pull policy.\nOne of Always, Never, IfNotPresent.\nDefaults to Always if :latest tag is specified, or IfNotPresent otherwise.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/containers/images#updating-images","type":"string"},"lifecycle":{"description":"Actions that the management system should take in response to container lifecycle events.\nCannot be updated.","type":"object","properties":{"postStart":{"description":"PostStart is called immediately after a container is created. If the handler fails,\nthe container is terminated and restarted according to its restart policy.\nOther management of the container blocks until the hook completes.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"preStop":{"description":"PreStop is called immediately before a container is terminated due to an\nAPI request or management event such as liveness/startup probe failure,\npreemption, resource contention, etc. The handler is not called if the\ncontainer crashes or exits. The Pod's termination grace period countdown begins before the\nPreStop hook is executed. Regardless of the outcome of the handler, the\ncontainer will eventually terminate within the Pod's termination grace\nperiod (unless delayed by finalizers). Other management of the container blocks until the hook completes\nor until the termination grace period is reached.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"stopSignal":{"description":"StopSignal defines which signal will be sent to a container when it is being stopped.\nIf not specified, the default is defined by the container runtime in use.\nStopSignal can only be set for Pods with a non-empty .spec.os.name","type":"string"}}},"livenessProbe":{"description":"Periodic probe of container liveness.\nContainer will be restarted if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"name":{"description":"Name of the container specified as a DNS_LABEL.\nEach container in a pod must have a unique name (DNS_LABEL).\nCannot be updated.","type":"string"},"ports":{"description":"List of ports to expose from the container. Not specifying a port here\nDOES NOT prevent that port from being exposed. Any port which is\nlistening on the default \"0.0.0.0\" address inside a container will be\naccessible from the network.\nModifying this array with strategic merge patch may corrupt the data.\nFor more information See https://github.com/kubernetes/kubernetes/issues/108255.\nCannot be updated.","type":"array","items":{"description":"ContainerPort represents a network port in a single container.","type":"object","required":["containerPort"],"properties":{"containerPort":{"description":"Number of port to expose on the pod's IP address.\nThis must be a valid port number, 0 < x < 65536.","type":"integer","format":"int32"},"hostIP":{"description":"What host IP to bind the external port to.","type":"string"},"hostPort":{"description":"Number of port to expose on the host.\nIf specified, this must be a valid port number, 0 < x < 65536.\nIf HostNetwork is specified, this must match ContainerPort.\nMost containers do not need this.","type":"integer","format":"int32"},"name":{"description":"If specified, this must be an IANA_SVC_NAME and unique within the pod. Each\nnamed port in a pod must have a unique name. Name for the port that can be\nreferred to by services.","type":"string"},"protocol":{"description":"Protocol for port. Must be UDP, TCP, or SCTP.\nDefaults to \"TCP\".","type":"string"}}},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map"},"readinessProbe":{"description":"Periodic probe of container service readiness.\nContainer will be removed from service endpoints if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"resizePolicy":{"description":"Resources resize policy for the container.","type":"array","items":{"description":"ContainerResizePolicy represents resource resize policy for the container.","type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"description":"Name of the resource to which this resource resize policy applies.\nSupported values: cpu, memory.","type":"string"},"restartPolicy":{"description":"Restart policy to apply when specified resource is resized.\nIf not specified, it defaults to NotRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Compute Resources required by this container.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"restartPolicy":{"description":"RestartPolicy defines the restart behavior of individual containers in a pod.\nThis overrides the pod-level restart policy. When this field is not specified,\nthe restart behavior is defined by the Pod's restart policy and the container type.\nAdditionally, setting the RestartPolicy as \"Always\" for the init container will\nhave the following effect:\nthis init container will be continually restarted on\nexit until all regular containers have terminated. Once all regular\ncontainers have completed, all init containers with restartPolicy \"Always\"\nwill be shut down. This lifecycle differs from normal init containers and\nis often referred to as a \"sidecar\" container. Although this init\ncontainer still starts in the init container sequence, it does not wait\nfor the container to complete before proceeding to the next init\ncontainer. Instead, the next init container starts immediately after this\ninit container is started, or after any startupProbe has successfully\ncompleted.","type":"string"},"restartPolicyRules":{"description":"Represents a list of rules to be checked to determine if the\ncontainer should be restarted on exit. The rules are evaluated in\norder. Once a rule matches a container exit condition, the remaining\nrules are ignored. If no rule matches the container exit condition,\nthe Container-level restart policy determines the whether the container\nis restarted or not. Constraints on the rules:\n- At most 20 rules are allowed.\n- Rules can have the same action.\n- Identical rules are not forbidden in validations.\nWhen rules are specified, container MUST set RestartPolicy explicitly\neven it if matches the Pod's RestartPolicy.","type":"array","items":{"description":"ContainerRestartRule describes how a container exit is handled.","type":"object","required":["action"],"properties":{"action":{"description":"Specifies the action taken on a container exit if the requirements\nare satisfied. The only possible value is \"Restart\" to restart the\ncontainer.","type":"string"},"exitCodes":{"description":"Represents the exit codes to check on container exits.","type":"object","required":["operator"],"properties":{"operator":{"description":"Represents the relationship between the container exit code(s) and the\nspecified values. Possible values are:\n- In: the requirement is satisfied if the container exit code is in the\n  set of specified values.\n- NotIn: the requirement is satisfied if the container exit code is\n  not in the set of specified values.","type":"string"},"values":{"description":"Specifies the set of values to check for container exit codes.\nAt most 255 elements are allowed.","type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}}}},"x-kubernetes-list-type":"atomic"},"securityContext":{"description":"SecurityContext defines the security options the container should be run with.\nIf set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","type":"object","properties":{"allowPrivilegeEscalation":{"description":"AllowPrivilegeEscalation controls whether a process can gain more\nprivileges than its parent process. This bool directly controls if\nthe no_new_privs flag will be set on the container process.\nAllowPrivilegeEscalation is true always when the container is:\n1) run as Privileged\n2) has CAP_SYS_ADMIN\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by this container. If set, this profile\noverrides the pod's appArmorProfile.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".","type":"string"},"type":{"description":"type indicates which kind of AppArmor profile will be applied.\nValid options are:\n  Localhost - a profile pre-loaded on the node.\n  RuntimeDefault - the container runtime's default profile.\n  Unconfined - no AppArmor enforcement.","type":"string"}}},"capabilities":{"description":"The capabilities to add/drop when running containers.\nDefaults to the default set of capabilities granted by the container runtime.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"add":{"description":"Added capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"description":"Removed capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"description":"Run container in privileged mode.\nProcesses in privileged containers are essentially equivalent to root on the host.\nDefaults to false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"procMount":{"description":"procMount denotes the type of proc mount to use for the containers.\nThe default value is Default which uses the container runtime defaults for\nreadonly paths and masked paths.\nThis requires the ProcMountType feature flag to be enabled.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"readOnlyRootFilesystem":{"description":"Whether this container has a read-only root filesystem.\nDefault is false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to the container.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by this container. If seccomp options are\nprovided at both the pod & container level, the container options\noverride the pod options.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"windowsOptions":{"description":"The Windows specific settings applied to all containers.\nIf unspecified, the options from the PodSecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.","type":"object","properties":{"gmsaCredentialSpec":{"description":"GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.","type":"string"},"gmsaCredentialSpecName":{"description":"GMSACredentialSpecName is the name of the GMSA credential spec to use.","type":"string"},"hostProcess":{"description":"HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.","type":"boolean"},"runAsUserName":{"description":"The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"string"}}}}},"startupProbe":{"description":"StartupProbe indicates that the Pod has successfully initialized.\nIf specified, no other probes are executed until this completes successfully.\nIf this probe fails, the Pod will be restarted, just as if the livenessProbe failed.\nThis can be used to provide different probe parameters at the beginning of a Pod's lifecycle,\nwhen it might take a long time to load data or warm a cache, than during steady-state operation.\nThis cannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"stdin":{"description":"Whether this container should allocate a buffer for stdin in the container runtime. If this\nis not set, reads from stdin in the container will always result in EOF.\nDefault is false.","type":"boolean"},"stdinOnce":{"description":"Whether the container runtime should close the stdin channel after it has been opened by\na single attach. When stdin is true the stdin stream will remain open across multiple attach\nsessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the\nfirst client attaches to stdin, and then remains open and accepts data until the client disconnects,\nat which time stdin is closed and remains closed until the container is restarted. If this\nflag is false, a container processes that reads from stdin will never receive an EOF.\nDefault is false","type":"boolean"},"terminationMessagePath":{"description":"Optional: Path at which the file to which the container's termination message\nwill be written is mounted into the container's filesystem.\nMessage written is intended to be brief final status, such as an assertion failure message.\nWill be truncated by the node if greater than 4096 bytes. The total message length across\nall containers will be limited to 12kb.\nDefaults to /dev/termination-log.\nCannot be updated.","type":"string"},"terminationMessagePolicy":{"description":"Indicate how the termination message should be populated. File will use the contents of\nterminationMessagePath to populate the container status message on both success and failure.\nFallbackToLogsOnError will use the last chunk of container log output if the termination\nmessage file is empty and the container exited with an error.\nThe log output is limited to 2048 bytes or 80 lines, whichever is smaller.\nDefaults to File.\nCannot be updated.","type":"string"},"tty":{"description":"Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.\nDefault is false.","type":"boolean"},"volumeDevices":{"description":"volumeDevices is the list of block devices to be used by the container.","type":"array","items":{"description":"volumeDevice describes a mapping of a raw block device within a container.","type":"object","required":["devicePath","name"],"properties":{"devicePath":{"description":"devicePath is the path inside of the container that the device will be mapped to.","type":"string"},"name":{"description":"name must match the name of a persistentVolumeClaim in the pod","type":"string"}}},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map"},"volumeMounts":{"description":"Pod volumes to mount into the container's filesystem.\nCannot be updated.","type":"array","items":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["mountPath","name"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted.  Must\nnot contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host\nto container and the other way around.\nWhen not set, MountPropagationNone is used.\nThis field is beta in 1.10.\nWhen RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified\n(which defaults to None).","type":"string"},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified).\nDefaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled\nrecursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made\nrecursively read-only.  If this field is set to IfPossible, the mount is made\nrecursively read-only, if it is supported by the container runtime.  If this\nfield is set to Enabled, the mount is made recursively read-only if it is\nsupported by the container runtime, otherwise the pod will not be started and\nan error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to\nNone (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted.\nDefaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted.\nBehaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.\nDefaults to \"\" (volume's root).\nSubPathExpr and SubPath are mutually exclusive.","type":"string"}}},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map"},"workingDir":{"description":"Container's working directory.\nIf not specified, the container runtime's default will be used, which\nmight be configured in the container image.\nCannot be updated.","type":"string"}}}},"convertClassicHistogramsToNHCB":{"description":"convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native\nhistogram with custom buckets.\n\nIt requires Prometheus >= v3.4.0.","type":"boolean"},"disableCompaction":{"description":"disableCompaction when true, the Prometheus compaction is disabled.\nWhen `spec.thanos.objectStorageConfig` or `spec.objectStorageConfigFile` are defined, the operator automatically\ndisables block compaction to avoid race conditions during block uploads (as the Thanos documentation recommends).","type":"boolean"},"dnsConfig":{"description":"dnsConfig defines the DNS configuration for the pods.","type":"object","properties":{"nameservers":{"description":"nameservers defines the list of DNS name server IP addresses.\nThis will be appended to the base nameservers generated from DNSPolicy.","type":"array","items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"},"options":{"description":"options defines the list of DNS resolver options.\nThis will be merged with the base options generated from DNSPolicy.\nResolution options given in Options\nwill override those that appear in the base DNSPolicy.","type":"array","items":{"description":"PodDNSConfigOption defines DNS resolver options of a pod.","type":"object","required":["name"],"properties":{"name":{"description":"name is required and must be unique.","type":"string","minLength":1},"value":{"description":"value is optional.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"searches":{"description":"searches defines the list of DNS search domains for host-name lookup.\nThis will be appended to the base search paths generated from DNSPolicy.","type":"array","items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"}}},"dnsPolicy":{"description":"dnsPolicy defines the DNS policy for the pods.","type":"string","enum":["ClusterFirstWithHostNet","ClusterFirst","Default","None"]},"enableAdminAPI":{"description":"enableAdminAPI defines access to the Prometheus web admin API.\n\nWARNING: Enabling the admin APIs enables mutating endpoints, to delete data,\nshutdown Prometheus, and more. Enabling this should be done with care and the\nuser is advised to add additional authentication authorization via a proxy to\nensure only clients authorized to perform these actions can do so.\n\nFor more information:\nhttps://prometheus.io/docs/prometheus/latest/querying/api/#tsdb-admin-apis","type":"boolean"},"enableFeatures":{"description":"enableFeatures enables access to Prometheus feature flags. By default, no features are enabled.\n\nEnabling features which are disabled by default is entirely outside the\nscope of what the maintainers will support and by doing so, you accept\nthat this behaviour may break at any time without notice.\n\nFor more information see https://prometheus.io/docs/prometheus/latest/feature_flags/","type":"array","items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"},"enableOTLPReceiver":{"description":"enableOTLPReceiver defines the Prometheus to be used as a receiver for the OTLP Metrics protocol.\n\nNote that the OTLP receiver endpoint is automatically enabled if `.spec.otlpConfig` is defined.\n\nIt requires Prometheus >= v2.47.0.","type":"boolean"},"enableRemoteWriteReceiver":{"description":"enableRemoteWriteReceiver defines the Prometheus to be used as a receiver for the Prometheus remote\nwrite protocol.\n\nWARNING: This is not considered an efficient way of ingesting samples.\nUse it with caution for specific low-volume use cases.\nIt is not suitable for replacing the ingestion via scraping and turning\nPrometheus into a push-based metrics collection system.\nFor more information see https://prometheus.io/docs/prometheus/latest/querying/api/#remote-write-receiver\n\nIt requires Prometheus >= v2.33.0.","type":"boolean"},"enableServiceLinks":{"description":"enableServiceLinks defines whether information about services should be injected into pod's environment variables","type":"boolean"},"enforcedBodySizeLimit":{"description":"enforcedBodySizeLimit when defined specifies a global limit on the size\nof uncompressed response body that will be accepted by Prometheus.\nTargets responding with a body larger than this many bytes will cause\nthe scrape to fail.\n\nIt requires Prometheus >= v2.28.0.\n\nWhen both `enforcedBodySizeLimit` and `bodySizeLimit` are defined and greater than zero, the following rules apply:\n* Scrape objects without a defined bodySizeLimit value will inherit the global bodySizeLimit value (Prometheus >= 2.45.0) or the enforcedBodySizeLimit value (Prometheus < v2.45.0).\n  If Prometheus version is >= 2.45.0 and the `enforcedBodySizeLimit` is greater than the `bodySizeLimit`, the `bodySizeLimit` will be set to `enforcedBodySizeLimit`.\n* Scrape objects with a bodySizeLimit value less than or equal to enforcedBodySizeLimit keep their specific value.\n* Scrape objects with a bodySizeLimit value greater than enforcedBodySizeLimit are set to enforcedBodySizeLimit.","type":"string","pattern":"(^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$"},"enforcedKeepDroppedTargets":{"description":"enforcedKeepDroppedTargets when defined specifies a global limit on the number of targets\ndropped by relabeling that will be kept in memory. The value overrides\nany `spec.keepDroppedTargets` set by\nServiceMonitor, PodMonitor, Probe objects unless `spec.keepDroppedTargets` is\ngreater than zero and less than `spec.enforcedKeepDroppedTargets`.\n\nIt requires Prometheus >= v2.47.0.\n\nWhen both `enforcedKeepDroppedTargets` and `keepDroppedTargets` are defined and greater than zero, the following rules apply:\n* Scrape objects without a defined keepDroppedTargets value will inherit the global keepDroppedTargets value (Prometheus >= 2.45.0) or the enforcedKeepDroppedTargets value (Prometheus < v2.45.0).\n  If Prometheus version is >= 2.45.0 and the `enforcedKeepDroppedTargets` is greater than the `keepDroppedTargets`, the `keepDroppedTargets` will be set to `enforcedKeepDroppedTargets`.\n* Scrape objects with a keepDroppedTargets value less than or equal to enforcedKeepDroppedTargets keep their specific value.\n* Scrape objects with a keepDroppedTargets value greater than enforcedKeepDroppedTargets are set to enforcedKeepDroppedTargets.","type":"integer","format":"int64"},"enforcedLabelLimit":{"description":"enforcedLabelLimit when defined specifies a global limit on the number\nof labels per sample. The value overrides any `spec.labelLimit` set by\nServiceMonitor, PodMonitor, Probe objects unless `spec.labelLimit` is\ngreater than zero and less than `spec.enforcedLabelLimit`.\n\nIt requires Prometheus >= v2.27.0.\n\nWhen both `enforcedLabelLimit` and `labelLimit` are defined and greater than zero, the following rules apply:\n* Scrape objects without a defined labelLimit value will inherit the global labelLimit value (Prometheus >= 2.45.0) or the enforcedLabelLimit value (Prometheus < v2.45.0).\n  If Prometheus version is >= 2.45.0 and the `enforcedLabelLimit` is greater than the `labelLimit`, the `labelLimit` will be set to `enforcedLabelLimit`.\n* Scrape objects with a labelLimit value less than or equal to enforcedLabelLimit keep their specific value.\n* Scrape objects with a labelLimit value greater than enforcedLabelLimit are set to enforcedLabelLimit.","type":"integer","format":"int64"},"enforcedLabelNameLengthLimit":{"description":"enforcedLabelNameLengthLimit when defined specifies a global limit on the length\nof labels name per sample. The value overrides any `spec.labelNameLengthLimit` set by\nServiceMonitor, PodMonitor, Probe objects unless `spec.labelNameLengthLimit` is\ngreater than zero and less than `spec.enforcedLabelNameLengthLimit`.\n\nIt requires Prometheus >= v2.27.0.\n\nWhen both `enforcedLabelNameLengthLimit` and `labelNameLengthLimit` are defined and greater than zero, the following rules apply:\n* Scrape objects without a defined labelNameLengthLimit value will inherit the global labelNameLengthLimit value (Prometheus >= 2.45.0) or the enforcedLabelNameLengthLimit value (Prometheus < v2.45.0).\n  If Prometheus version is >= 2.45.0 and the `enforcedLabelNameLengthLimit` is greater than the `labelNameLengthLimit`, the `labelNameLengthLimit` will be set to `enforcedLabelNameLengthLimit`.\n* Scrape objects with a labelNameLengthLimit value less than or equal to enforcedLabelNameLengthLimit keep their specific value.\n* Scrape objects with a labelNameLengthLimit value greater than enforcedLabelNameLengthLimit are set to enforcedLabelNameLengthLimit.","type":"integer","format":"int64"},"enforcedLabelValueLengthLimit":{"description":"enforcedLabelValueLengthLimit when not null defines a global limit on the length\nof labels value per sample. The value overrides any `spec.labelValueLengthLimit` set by\nServiceMonitor, PodMonitor, Probe objects unless `spec.labelValueLengthLimit` is\ngreater than zero and less than `spec.enforcedLabelValueLengthLimit`.\n\nIt requires Prometheus >= v2.27.0.\n\nWhen both `enforcedLabelValueLengthLimit` and `labelValueLengthLimit` are defined and greater than zero, the following rules apply:\n* Scrape objects without a defined labelValueLengthLimit value will inherit the global labelValueLengthLimit value (Prometheus >= 2.45.0) or the enforcedLabelValueLengthLimit value (Prometheus < v2.45.0).\n  If Prometheus version is >= 2.45.0 and the `enforcedLabelValueLengthLimit` is greater than the `labelValueLengthLimit`, the `labelValueLengthLimit` will be set to `enforcedLabelValueLengthLimit`.\n* Scrape objects with a labelValueLengthLimit value less than or equal to enforcedLabelValueLengthLimit keep their specific value.\n* Scrape objects with a labelValueLengthLimit value greater than enforcedLabelValueLengthLimit are set to enforcedLabelValueLengthLimit.","type":"integer","format":"int64"},"enforcedNamespaceLabel":{"description":"enforcedNamespaceLabel when not empty, a label will be added to:\n\n1. All metrics scraped from `ServiceMonitor`, `PodMonitor`, `Probe` and `ScrapeConfig` objects.\n2. All metrics generated from recording rules defined in `PrometheusRule` objects.\n3. All alerts generated from alerting rules defined in `PrometheusRule` objects.\n4. All vector selectors of PromQL expressions defined in `PrometheusRule` objects.\n\nThe label will not added for objects referenced in `spec.excludedFromEnforcement`.\n\nThe label's name is this field's value.\nThe label's value is the namespace of the `ServiceMonitor`,\n`PodMonitor`, `Probe`, `PrometheusRule` or `ScrapeConfig` object.","type":"string"},"enforcedSampleLimit":{"description":"enforcedSampleLimit when defined specifies a global limit on the number\nof scraped samples that will be accepted. This overrides any\n`spec.sampleLimit` set by ServiceMonitor, PodMonitor, Probe objects\nunless `spec.sampleLimit` is greater than zero and less than\n`spec.enforcedSampleLimit`.\n\nIt is meant to be used by admins to keep the overall number of\nsamples/series under a desired limit.\n\nWhen both `enforcedSampleLimit` and `sampleLimit` are defined and greater than zero, the following rules apply:\n* Scrape objects without a defined sampleLimit value will inherit the global sampleLimit value (Prometheus >= 2.45.0) or the enforcedSampleLimit value (Prometheus < v2.45.0).\n  If Prometheus version is >= 2.45.0 and the `enforcedSampleLimit` is greater than the `sampleLimit`, the `sampleLimit` will be set to `enforcedSampleLimit`.\n* Scrape objects with a sampleLimit value less than or equal to enforcedSampleLimit keep their specific value.\n* Scrape objects with a sampleLimit value greater than enforcedSampleLimit are set to enforcedSampleLimit.","type":"integer","format":"int64"},"enforcedTargetLimit":{"description":"enforcedTargetLimit when defined specifies a global limit on the number\nof scraped targets. The value overrides any `spec.targetLimit` set by\nServiceMonitor, PodMonitor, Probe objects unless `spec.targetLimit` is\ngreater than zero and less than `spec.enforcedTargetLimit`.\n\nIt is meant to be used by admins to to keep the overall number of\ntargets under a desired limit.\n\nWhen both `enforcedTargetLimit` and `targetLimit` are defined and greater than zero, the following rules apply:\n* Scrape objects without a defined targetLimit value will inherit the global targetLimit value (Prometheus >= 2.45.0) or the enforcedTargetLimit value (Prometheus < v2.45.0).\n  If Prometheus version is >= 2.45.0 and the `enforcedTargetLimit` is greater than the `targetLimit`, the `targetLimit` will be set to `enforcedTargetLimit`.\n* Scrape objects with a targetLimit value less than or equal to enforcedTargetLimit keep their specific value.\n* Scrape objects with a targetLimit value greater than enforcedTargetLimit are set to enforcedTargetLimit.","type":"integer","format":"int64"},"evaluationInterval":{"description":"evaluationInterval defines the interval between rule evaluations.\nDefault: \"30s\"","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"excludedFromEnforcement":{"description":"excludedFromEnforcement defines the list of references to PodMonitor, ServiceMonitor, Probe and PrometheusRule objects\nto be excluded from enforcing a namespace label of origin.\n\nIt is only applicable if `spec.enforcedNamespaceLabel` set to true.","type":"array","items":{"description":"ObjectReference references a PodMonitor, ServiceMonitor, Probe or PrometheusRule object.","type":"object","required":["namespace","resource"],"properties":{"group":{"description":"group of the referent. When not specified, it defaults to `monitoring.coreos.com`","type":"string","enum":["monitoring.coreos.com"]},"name":{"description":"name of the referent. When not set, all resources in the namespace are matched.","type":"string"},"namespace":{"description":"namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string","minLength":1},"resource":{"description":"resource of the referent.","type":"string","enum":["prometheusrules","servicemonitors","podmonitors","probes","scrapeconfigs"]}}}},"exemplars":{"description":"exemplars related settings that are runtime reloadable.\nIt requires to enable the `exemplar-storage` feature flag to be effective.","type":"object","properties":{"maxSize":{"description":"maxSize defines the maximum number of exemplars stored in memory for all series.\n\nexemplar-storage itself must be enabled using the `spec.enableFeature`\noption for exemplars to be scraped in the first place.\n\nIf not set, Prometheus uses its default value. A value of zero or less\nthan zero disables the storage.","type":"integer","format":"int64"}}},"externalLabels":{"description":"externalLabels defines the labels to add to any time series or alerts when communicating with\nexternal systems (federation, remote storage, Alertmanager).\nLabels defined by `spec.replicaExternalLabelName` and\n`spec.prometheusExternalLabelName` take precedence over this list.","type":"object","additionalProperties":{"type":"string"}},"externalUrl":{"description":"externalUrl defines the external URL under which the Prometheus service is externally\navailable. This is necessary to generate correct URLs (for instance if\nPrometheus is accessible behind an Ingress resource).","type":"string"},"hostAliases":{"description":"hostAliases defines the optional list of hosts and IPs that will be injected into the Pod's\nhosts file if specified.","type":"array","items":{"description":"HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the\npod's hosts file.","type":"object","required":["hostnames","ip"],"properties":{"hostnames":{"description":"hostnames defines hostnames for the above IP address.","type":"array","items":{"type":"string"}},"ip":{"description":"ip defines the IP address of the host file entry.","type":"string"}}},"x-kubernetes-list-map-keys":["ip"],"x-kubernetes-list-type":"map"},"hostNetwork":{"description":"hostNetwork defines the host's network namespace if true.\n\nMake sure to understand the security implications if you want to enable\nit (https://kubernetes.io/docs/concepts/configuration/overview/ ).\n\nWhen hostNetwork is enabled, this will set the DNS policy to\n`ClusterFirstWithHostNet` automatically (unless `.spec.DNSPolicy` is set\nto a different value).","type":"boolean"},"hostUsers":{"description":"hostUsers supports the user space in Kubernetes.\n\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/\n\nThe feature requires at least Kubernetes 1.28 with the `UserNamespacesSupport` feature gate enabled.\nStarting Kubernetes 1.33, the feature is enabled by default.","type":"boolean"},"ignoreNamespaceSelectors":{"description":"ignoreNamespaceSelectors when true, `spec.namespaceSelector` from all PodMonitor, ServiceMonitor\nand Probe objects will be ignored. They will only discover targets\nwithin the namespace of the PodMonitor, ServiceMonitor and Probe\nobject.","type":"boolean"},"image":{"description":"image defines the container image name for Prometheus. If specified, it takes precedence\nover the `spec.baseImage`, `spec.tag` and `spec.sha` fields.\n\nSpecifying `spec.version` is still necessary to ensure the Prometheus\nOperator knows which version of Prometheus is being configured.\n\nIf neither `spec.image` nor `spec.baseImage` are defined, the operator\nwill use the latest upstream version of Prometheus available at the time\nwhen the operator was released.","type":"string"},"imagePullPolicy":{"description":"imagePullPolicy defines the image pull policy for the 'prometheus', 'init-config-reloader' and 'config-reloader' containers.\nSee https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for more details.","type":"string","enum":["","Always","Never","IfNotPresent"]},"imagePullSecrets":{"description":"imagePullSecrets defines an optional list of references to Secrets in the same namespace\nto use for pulling images from registries.\nSee http://kubernetes.io/docs/user-guide/images#specifying-imagepullsecrets-on-a-pod","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"initContainers":{"description":"initContainers allows injecting initContainers to the Pod definition. Those\ncan be used to e.g.  fetch secrets for injection into the Prometheus\nconfiguration from external sources. Any errors during the execution of\nan initContainer will lead to a restart of the Pod. More info:\nhttps://kubernetes.io/docs/concepts/workloads/pods/init-containers/\nInitContainers described here modify an operator generated init\ncontainers if they share the same name and modifications are done via a\nstrategic merge patch.\n\nThe names of init container name managed by the operator are:\n* `init-config-reloader`.\n\nOverriding init containers is entirely outside the scope of what the\nmaintainers will support and by doing so, you accept that this behaviour\nmay break at any time without notice.","type":"array","items":{"description":"A single application container that you want to run within a pod.","type":"object","required":["name"],"properties":{"args":{"description":"Arguments to the entrypoint.\nThe container image's CMD is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"description":"Entrypoint array. Not executed within a shell.\nThe container image's ENTRYPOINT is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"description":"List of environment variables to set in the container.\nCannot be updated.","type":"array","items":{"description":"EnvVar represents an environment variable present in a Container.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"value":{"description":"Variable references $(VAR_NAME) are expanded\nusing the previously defined environment variables in the container and\nany service environment variables. If a variable cannot be resolved,\nthe reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.\n\"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\".\nEscaped references will never be expanded, regardless of whether the variable\nexists or not.\nDefaults to \"\".","type":"string"},"valueFrom":{"description":"Source for the environment variable's value. Cannot be used if value is not empty.","type":"object","properties":{"configMapKeyRef":{"description":"Selects a key of a ConfigMap.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"description":"Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"description":"FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.","type":"object","required":["key","path","volumeName"],"properties":{"key":{"description":"The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.","type":"string"},"optional":{"description":"Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.","type":"boolean"},"path":{"description":"The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.","type":"string"},"volumeName":{"description":"The name of the volume mount containing the env file.","type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"description":"Selects a key of a secret in the pod's namespace","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"envFrom":{"description":"List of sources to populate environment variables in the container.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nWhen a key exists in multiple\nsources, the value associated with the last source will take precedence.\nValues defined by an Env with a duplicate key will take precedence.\nCannot be updated.","type":"array","items":{"description":"EnvFromSource represents the source of a set of ConfigMaps or Secrets","type":"object","properties":{"configMapRef":{"description":"The ConfigMap to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"description":"Optional text to prepend to the name of each environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"secretRef":{"description":"The Secret to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"image":{"description":"Container image name.\nMore info: https://kubernetes.io/docs/concepts/containers/images\nThis field is optional to allow higher level config management to default or override\ncontainer images in workload controllers like Deployments and StatefulSets.","type":"string"},"imagePullPolicy":{"description":"Image pull policy.\nOne of Always, Never, IfNotPresent.\nDefaults to Always if :latest tag is specified, or IfNotPresent otherwise.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/containers/images#updating-images","type":"string"},"lifecycle":{"description":"Actions that the management system should take in response to container lifecycle events.\nCannot be updated.","type":"object","properties":{"postStart":{"description":"PostStart is called immediately after a container is created. If the handler fails,\nthe container is terminated and restarted according to its restart policy.\nOther management of the container blocks until the hook completes.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"preStop":{"description":"PreStop is called immediately before a container is terminated due to an\nAPI request or management event such as liveness/startup probe failure,\npreemption, resource contention, etc. The handler is not called if the\ncontainer crashes or exits. The Pod's termination grace period countdown begins before the\nPreStop hook is executed. Regardless of the outcome of the handler, the\ncontainer will eventually terminate within the Pod's termination grace\nperiod (unless delayed by finalizers). Other management of the container blocks until the hook completes\nor until the termination grace period is reached.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"stopSignal":{"description":"StopSignal defines which signal will be sent to a container when it is being stopped.\nIf not specified, the default is defined by the container runtime in use.\nStopSignal can only be set for Pods with a non-empty .spec.os.name","type":"string"}}},"livenessProbe":{"description":"Periodic probe of container liveness.\nContainer will be restarted if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"name":{"description":"Name of the container specified as a DNS_LABEL.\nEach container in a pod must have a unique name (DNS_LABEL).\nCannot be updated.","type":"string"},"ports":{"description":"List of ports to expose from the container. Not specifying a port here\nDOES NOT prevent that port from being exposed. Any port which is\nlistening on the default \"0.0.0.0\" address inside a container will be\naccessible from the network.\nModifying this array with strategic merge patch may corrupt the data.\nFor more information See https://github.com/kubernetes/kubernetes/issues/108255.\nCannot be updated.","type":"array","items":{"description":"ContainerPort represents a network port in a single container.","type":"object","required":["containerPort"],"properties":{"containerPort":{"description":"Number of port to expose on the pod's IP address.\nThis must be a valid port number, 0 < x < 65536.","type":"integer","format":"int32"},"hostIP":{"description":"What host IP to bind the external port to.","type":"string"},"hostPort":{"description":"Number of port to expose on the host.\nIf specified, this must be a valid port number, 0 < x < 65536.\nIf HostNetwork is specified, this must match ContainerPort.\nMost containers do not need this.","type":"integer","format":"int32"},"name":{"description":"If specified, this must be an IANA_SVC_NAME and unique within the pod. Each\nnamed port in a pod must have a unique name. Name for the port that can be\nreferred to by services.","type":"string"},"protocol":{"description":"Protocol for port. Must be UDP, TCP, or SCTP.\nDefaults to \"TCP\".","type":"string"}}},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map"},"readinessProbe":{"description":"Periodic probe of container service readiness.\nContainer will be removed from service endpoints if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"resizePolicy":{"description":"Resources resize policy for the container.","type":"array","items":{"description":"ContainerResizePolicy represents resource resize policy for the container.","type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"description":"Name of the resource to which this resource resize policy applies.\nSupported values: cpu, memory.","type":"string"},"restartPolicy":{"description":"Restart policy to apply when specified resource is resized.\nIf not specified, it defaults to NotRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Compute Resources required by this container.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"restartPolicy":{"description":"RestartPolicy defines the restart behavior of individual containers in a pod.\nThis overrides the pod-level restart policy. When this field is not specified,\nthe restart behavior is defined by the Pod's restart policy and the container type.\nAdditionally, setting the RestartPolicy as \"Always\" for the init container will\nhave the following effect:\nthis init container will be continually restarted on\nexit until all regular containers have terminated. Once all regular\ncontainers have completed, all init containers with restartPolicy \"Always\"\nwill be shut down. This lifecycle differs from normal init containers and\nis often referred to as a \"sidecar\" container. Although this init\ncontainer still starts in the init container sequence, it does not wait\nfor the container to complete before proceeding to the next init\ncontainer. Instead, the next init container starts immediately after this\ninit container is started, or after any startupProbe has successfully\ncompleted.","type":"string"},"restartPolicyRules":{"description":"Represents a list of rules to be checked to determine if the\ncontainer should be restarted on exit. The rules are evaluated in\norder. Once a rule matches a container exit condition, the remaining\nrules are ignored. If no rule matches the container exit condition,\nthe Container-level restart policy determines the whether the container\nis restarted or not. Constraints on the rules:\n- At most 20 rules are allowed.\n- Rules can have the same action.\n- Identical rules are not forbidden in validations.\nWhen rules are specified, container MUST set RestartPolicy explicitly\neven it if matches the Pod's RestartPolicy.","type":"array","items":{"description":"ContainerRestartRule describes how a container exit is handled.","type":"object","required":["action"],"properties":{"action":{"description":"Specifies the action taken on a container exit if the requirements\nare satisfied. The only possible value is \"Restart\" to restart the\ncontainer.","type":"string"},"exitCodes":{"description":"Represents the exit codes to check on container exits.","type":"object","required":["operator"],"properties":{"operator":{"description":"Represents the relationship between the container exit code(s) and the\nspecified values. Possible values are:\n- In: the requirement is satisfied if the container exit code is in the\n  set of specified values.\n- NotIn: the requirement is satisfied if the container exit code is\n  not in the set of specified values.","type":"string"},"values":{"description":"Specifies the set of values to check for container exit codes.\nAt most 255 elements are allowed.","type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}}}},"x-kubernetes-list-type":"atomic"},"securityContext":{"description":"SecurityContext defines the security options the container should be run with.\nIf set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","type":"object","properties":{"allowPrivilegeEscalation":{"description":"AllowPrivilegeEscalation controls whether a process can gain more\nprivileges than its parent process. This bool directly controls if\nthe no_new_privs flag will be set on the container process.\nAllowPrivilegeEscalation is true always when the container is:\n1) run as Privileged\n2) has CAP_SYS_ADMIN\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by this container. If set, this profile\noverrides the pod's appArmorProfile.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".","type":"string"},"type":{"description":"type indicates which kind of AppArmor profile will be applied.\nValid options are:\n  Localhost - a profile pre-loaded on the node.\n  RuntimeDefault - the container runtime's default profile.\n  Unconfined - no AppArmor enforcement.","type":"string"}}},"capabilities":{"description":"The capabilities to add/drop when running containers.\nDefaults to the default set of capabilities granted by the container runtime.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"add":{"description":"Added capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"description":"Removed capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"description":"Run container in privileged mode.\nProcesses in privileged containers are essentially equivalent to root on the host.\nDefaults to false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"procMount":{"description":"procMount denotes the type of proc mount to use for the containers.\nThe default value is Default which uses the container runtime defaults for\nreadonly paths and masked paths.\nThis requires the ProcMountType feature flag to be enabled.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"readOnlyRootFilesystem":{"description":"Whether this container has a read-only root filesystem.\nDefault is false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to the container.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by this container. If seccomp options are\nprovided at both the pod & container level, the container options\noverride the pod options.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"windowsOptions":{"description":"The Windows specific settings applied to all containers.\nIf unspecified, the options from the PodSecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.","type":"object","properties":{"gmsaCredentialSpec":{"description":"GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.","type":"string"},"gmsaCredentialSpecName":{"description":"GMSACredentialSpecName is the name of the GMSA credential spec to use.","type":"string"},"hostProcess":{"description":"HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.","type":"boolean"},"runAsUserName":{"description":"The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"string"}}}}},"startupProbe":{"description":"StartupProbe indicates that the Pod has successfully initialized.\nIf specified, no other probes are executed until this completes successfully.\nIf this probe fails, the Pod will be restarted, just as if the livenessProbe failed.\nThis can be used to provide different probe parameters at the beginning of a Pod's lifecycle,\nwhen it might take a long time to load data or warm a cache, than during steady-state operation.\nThis cannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"stdin":{"description":"Whether this container should allocate a buffer for stdin in the container runtime. If this\nis not set, reads from stdin in the container will always result in EOF.\nDefault is false.","type":"boolean"},"stdinOnce":{"description":"Whether the container runtime should close the stdin channel after it has been opened by\na single attach. When stdin is true the stdin stream will remain open across multiple attach\nsessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the\nfirst client attaches to stdin, and then remains open and accepts data until the client disconnects,\nat which time stdin is closed and remains closed until the container is restarted. If this\nflag is false, a container processes that reads from stdin will never receive an EOF.\nDefault is false","type":"boolean"},"terminationMessagePath":{"description":"Optional: Path at which the file to which the container's termination message\nwill be written is mounted into the container's filesystem.\nMessage written is intended to be brief final status, such as an assertion failure message.\nWill be truncated by the node if greater than 4096 bytes. The total message length across\nall containers will be limited to 12kb.\nDefaults to /dev/termination-log.\nCannot be updated.","type":"string"},"terminationMessagePolicy":{"description":"Indicate how the termination message should be populated. File will use the contents of\nterminationMessagePath to populate the container status message on both success and failure.\nFallbackToLogsOnError will use the last chunk of container log output if the termination\nmessage file is empty and the container exited with an error.\nThe log output is limited to 2048 bytes or 80 lines, whichever is smaller.\nDefaults to File.\nCannot be updated.","type":"string"},"tty":{"description":"Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.\nDefault is false.","type":"boolean"},"volumeDevices":{"description":"volumeDevices is the list of block devices to be used by the container.","type":"array","items":{"description":"volumeDevice describes a mapping of a raw block device within a container.","type":"object","required":["devicePath","name"],"properties":{"devicePath":{"description":"devicePath is the path inside of the container that the device will be mapped to.","type":"string"},"name":{"description":"name must match the name of a persistentVolumeClaim in the pod","type":"string"}}},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map"},"volumeMounts":{"description":"Pod volumes to mount into the container's filesystem.\nCannot be updated.","type":"array","items":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["mountPath","name"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted.  Must\nnot contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host\nto container and the other way around.\nWhen not set, MountPropagationNone is used.\nThis field is beta in 1.10.\nWhen RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified\n(which defaults to None).","type":"string"},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified).\nDefaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled\nrecursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made\nrecursively read-only.  If this field is set to IfPossible, the mount is made\nrecursively read-only, if it is supported by the container runtime.  If this\nfield is set to Enabled, the mount is made recursively read-only if it is\nsupported by the container runtime, otherwise the pod will not be started and\nan error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to\nNone (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted.\nDefaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted.\nBehaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.\nDefaults to \"\" (volume's root).\nSubPathExpr and SubPath are mutually exclusive.","type":"string"}}},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map"},"workingDir":{"description":"Container's working directory.\nIf not specified, the container runtime's default will be used, which\nmight be configured in the container image.\nCannot be updated.","type":"string"}}}},"keepDroppedTargets":{"description":"keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling\nthat will be kept in memory. 0 means no limit.\n\nIt requires Prometheus >= v2.47.0.\n\nNote that the global limit only applies to scrape objects that don't specify an explicit limit value.\nIf you want to enforce a maximum limit for all scrape objects, refer to enforcedKeepDroppedTargets.","type":"integer","format":"int64"},"labelLimit":{"description":"labelLimit defines per-scrape limit on number of labels that will be accepted for a sample.\nOnly valid in Prometheus versions 2.45.0 and newer.\n\nNote that the global limit only applies to scrape objects that don't specify an explicit limit value.\nIf you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelLimit.","type":"integer","format":"int64"},"labelNameLengthLimit":{"description":"labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample.\nOnly valid in Prometheus versions 2.45.0 and newer.\n\nNote that the global limit only applies to scrape objects that don't specify an explicit limit value.\nIf you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelNameLengthLimit.","type":"integer","format":"int64"},"labelValueLengthLimit":{"description":"labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample.\nOnly valid in Prometheus versions 2.45.0 and newer.\n\nNote that the global limit only applies to scrape objects that don't specify an explicit limit value.\nIf you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelValueLengthLimit.","type":"integer","format":"int64"},"listenLocal":{"description":"listenLocal when true, the Prometheus server listens on the loopback address\ninstead of the Pod IP's address.","type":"boolean"},"logFormat":{"description":"logFormat for Log level for Prometheus and the config-reloader sidecar.","type":"string","enum":["","logfmt","json"]},"logLevel":{"description":"logLevel for Prometheus and the config-reloader sidecar.","type":"string","enum":["","debug","info","warn","error"]},"maximumStartupDurationSeconds":{"description":"maximumStartupDurationSeconds defines the maximum time that the `prometheus` container's startup probe will wait before being considered failed. The startup probe will return success after the WAL replay is complete.\nIf set, the value should be greater than 60 (seconds). Otherwise it will be equal to 900 seconds (15 minutes).","type":"integer","format":"int32","minimum":60},"minReadySeconds":{"description":"minReadySeconds defines the minimum number of seconds for which a newly created Pod should be ready\nwithout any of its container crashing for it to be considered available.\n\nIf unset, pods will be considered available as soon as they are ready.","type":"integer","format":"int32","minimum":0},"nameEscapingScheme":{"description":"nameEscapingScheme defines the character escaping scheme that will be requested when scraping\nfor metric and label names that do not conform to the legacy Prometheus\ncharacter set.\n\nIt requires Prometheus >= v3.4.0.","type":"string","enum":["AllowUTF8","Underscores","Dots","Values"]},"nameValidationScheme":{"description":"nameValidationScheme defines the validation scheme for metric and label names.\n\nIt requires Prometheus >= v2.55.0.","type":"string","enum":["UTF8","Legacy"]},"nodeSelector":{"description":"nodeSelector defines on which Nodes the Pods are scheduled.","type":"object","additionalProperties":{"type":"string"}},"otlp":{"description":"otlp defines the settings related to the OTLP receiver feature.\nIt requires Prometheus >= v2.55.0.","type":"object","properties":{"convertHistogramsToNHCB":{"description":"convertHistogramsToNHCB defines optional translation of OTLP explicit bucket histograms into native histograms with custom buckets.\nIt requires Prometheus >= v3.4.0.","type":"boolean"},"ignoreResourceAttributes":{"description":"ignoreResourceAttributes defines the list of OpenTelemetry resource attributes to ignore when `promoteAllResourceAttributes` is true.\n\nIt requires `promoteAllResourceAttributes` to be true.\nIt requires Prometheus >= v3.5.0.","type":"array","minItems":1,"items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"},"keepIdentifyingResourceAttributes":{"description":"keepIdentifyingResourceAttributes enables adding `service.name`, `service.namespace` and `service.instance.id`\nresource attributes to the `target_info` metric, on top of converting them into the `instance` and `job` labels.\n\nIt requires Prometheus >= v3.1.0.","type":"boolean"},"promoteAllResourceAttributes":{"description":"promoteAllResourceAttributes promotes all resource attributes to metric labels except the ones defined in `ignoreResourceAttributes`.\n\nCannot be true when `promoteResourceAttributes` is defined.\nIt requires Prometheus >= v3.5.0.","type":"boolean"},"promoteResourceAttributes":{"description":"promoteResourceAttributes defines the list of OpenTelemetry Attributes that should be promoted to metric labels, defaults to none.\nCannot be defined when `promoteAllResourceAttributes` is true.","type":"array","minItems":1,"items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"},"promoteScopeMetadata":{"description":"promoteScopeMetadata controls whether to promote OpenTelemetry scope metadata (i.e. name, version, schema URL, and attributes) to metric labels.\nAs per the OpenTelemetry specification, the aforementioned scope metadata should be identifying, i.e. made into metric labels.\nIt requires Prometheus >= v3.6.0.","type":"boolean"},"translationStrategy":{"description":"translationStrategy defines how the OTLP receiver endpoint translates the incoming metrics.\n\nIt requires Prometheus >= v3.0.0.","type":"string","enum":["NoUTF8EscapingWithSuffixes","UnderscoreEscapingWithSuffixes","NoTranslation","UnderscoreEscapingWithoutSuffixes"]}}},"overrideHonorLabels":{"description":"overrideHonorLabels when true, Prometheus resolves label conflicts by renaming the labels in the scraped data\n to “exported_” for all targets created from ServiceMonitor, PodMonitor and\nScrapeConfig objects. Otherwise the HonorLabels field of the service or pod monitor applies.\nIn practice,`OverrideHonorLabels:true` enforces `honorLabels:false`\nfor all ServiceMonitor, PodMonitor and ScrapeConfig objects.","type":"boolean"},"overrideHonorTimestamps":{"description":"overrideHonorTimestamps when true, Prometheus ignores the timestamps for all the targets created\nfrom service and pod monitors.\nOtherwise the HonorTimestamps field of the service or pod monitor applies.","type":"boolean"},"paused":{"description":"paused defines when a Prometheus deployment is paused, no actions except for deletion\nwill be performed on the underlying objects.","type":"boolean"},"persistentVolumeClaimRetentionPolicy":{"description":"persistentVolumeClaimRetentionPolicy defines the field controls if and how PVCs are deleted during the lifecycle of a StatefulSet.\nThe default behavior is all PVCs are retained.\nThis is an alpha field from kubernetes 1.23 until 1.26 and a beta field from 1.26.\nIt requires enabling the StatefulSetAutoDeletePVC feature gate.","type":"object","properties":{"whenDeleted":{"description":"WhenDeleted specifies what happens to PVCs created from StatefulSet\nVolumeClaimTemplates when the StatefulSet is deleted. The default policy\nof `Retain` causes PVCs to not be affected by StatefulSet deletion. The\n`Delete` policy causes those PVCs to be deleted.","type":"string"},"whenScaled":{"description":"WhenScaled specifies what happens to PVCs created from StatefulSet\nVolumeClaimTemplates when the StatefulSet is scaled down. The default\npolicy of `Retain` causes PVCs to not be affected by a scaledown. The\n`Delete` policy causes the associated PVCs for any excess pods above\nthe replica count to be deleted.","type":"string"}}},"podManagementPolicy":{"description":"podManagementPolicy defines the policy for creating/deleting pods when\nscaling up and down.\n\nUnlike the default StatefulSet behavior, the default policy is\n`Parallel` to avoid manual intervention in case a pod gets stuck during\na rollout.\n\nNote that updating this value implies the recreation of the StatefulSet\nwhich incurs a service outage.","type":"string","enum":["OrderedReady","Parallel"]},"podMetadata":{"description":"podMetadata defines labels and annotations which are propagated to the Prometheus pods.\n\nThe following items are reserved and cannot be overridden:\n* \"prometheus\" label, set to the name of the Prometheus object.\n* \"app.kubernetes.io/instance\" label, set to the name of the Prometheus object.\n* \"app.kubernetes.io/managed-by\" label, set to \"prometheus-operator\".\n* \"app.kubernetes.io/name\" label, set to \"prometheus\".\n* \"app.kubernetes.io/version\" label, set to the Prometheus version.\n* \"operator.prometheus.io/name\" label, set to the name of the Prometheus object.\n* \"operator.prometheus.io/shard\" label, set to the shard number of the Prometheus object.\n* \"kubectl.kubernetes.io/default-container\" annotation, set to \"prometheus\".","type":"object","properties":{"annotations":{"description":"annotations defines an unstructured key value map stored with a resource that may be\nset by external tools to store and retrieve arbitrary metadata. They are not\nqueryable and should be preserved when modifying objects.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"labels define the map of string keys and values that can be used to organize and categorize\n(scope and select) objects. May match selectors of replication controllers\nand services.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/","type":"string"}}},"podMonitorNamespaceSelector":{"description":"podMonitorNamespaceSelector defines the namespaces to match for PodMonitors discovery. An empty label selector\nmatches all namespaces. A null label selector (default value) matches the current\nnamespace only.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"podMonitorSelector":{"description":"podMonitorSelector defines the podMonitors to be selected for target discovery. An empty label selector\nmatches all objects. A null label selector matches no objects.\n\nIf `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector`\nand `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged.\nThe Prometheus operator will ensure that the Prometheus configuration's\nSecret exists, but it is the responsibility of the user to provide the raw\ngzipped Prometheus configuration under the `prometheus.yaml.gz` key.\nThis behavior is *deprecated* and will be removed in the next major version\nof the custom resource definition. It is recommended to use\n`spec.additionalScrapeConfigs` instead.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"podTargetLabels":{"description":"podTargetLabels are appended to the `spec.podTargetLabels` field of all\nPodMonitor and ServiceMonitor objects.","type":"array","items":{"type":"string"}},"portName":{"description":"portName used for the pods and governing service.\nDefault: \"web\"","type":"string"},"priorityClassName":{"description":"priorityClassName assigned to the Pods.","type":"string"},"probeNamespaceSelector":{"description":"probeNamespaceSelector defines the namespaces to match for Probe discovery. An empty label\nselector matches all namespaces. A null label selector matches the\ncurrent namespace only.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"probeSelector":{"description":"probeSelector defines the probes to be selected for target discovery. An empty label selector\nmatches all objects. A null label selector matches no objects.\n\nIf `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector`\nand `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged.\nThe Prometheus operator will ensure that the Prometheus configuration's\nSecret exists, but it is the responsibility of the user to provide the raw\ngzipped Prometheus configuration under the `prometheus.yaml.gz` key.\nThis behavior is *deprecated* and will be removed in the next major version\nof the custom resource definition. It is recommended to use\n`spec.additionalScrapeConfigs` instead.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"prometheusExternalLabelName":{"description":"prometheusExternalLabelName defines the name of Prometheus external label used to denote the Prometheus instance\nname. The external label will _not_ be added when the field is set to\nthe empty string (`\"\"`).\n\nDefault: \"prometheus\"","type":"string"},"prometheusRulesExcludedFromEnforce":{"description":"prometheusRulesExcludedFromEnforce defines the list of PrometheusRule objects to which the namespace label\nenforcement doesn't apply.\nThis is only relevant when `spec.enforcedNamespaceLabel` is set to true.\nDeprecated: use `spec.excludedFromEnforcement` instead.","type":"array","items":{"description":"PrometheusRuleExcludeConfig enables users to configure excluded\nPrometheusRule names and their namespaces to be ignored while enforcing\nnamespace label for alerts and metrics.","type":"object","required":["ruleName","ruleNamespace"],"properties":{"ruleName":{"description":"ruleName defines the name of the excluded PrometheusRule object.","type":"string"},"ruleNamespace":{"description":"ruleNamespace defines the namespace of the excluded PrometheusRule object.","type":"string"}}}},"query":{"description":"query defines the configuration of the Prometheus query service.","type":"object","properties":{"lookbackDelta":{"description":"lookbackDelta defines the delta difference allowed for retrieving metrics during expression evaluations.","type":"string"},"maxConcurrency":{"description":"maxConcurrency defines the number of concurrent queries that can be run at once.","type":"integer","format":"int32","minimum":1},"maxSamples":{"description":"maxSamples defines the maximum number of samples a single query can load into memory. Note that\nqueries will fail if they would load more samples than this into memory,\nso this also limits the number of samples a query can return.","type":"integer","format":"int32"},"timeout":{"description":"timeout defines the maximum time a query may take before being aborted.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"}}},"queryLogFile":{"description":"queryLogFile specifies where the file to which PromQL queries are logged.\n\nIf the filename has an empty path, e.g. 'query.log', The Prometheus Pods\nwill mount the file into an emptyDir volume at `/var/log/prometheus`.\nIf a full path is provided, e.g. '/var/log/prometheus/query.log', you\nmust mount a volume in the specified directory and it must be writable.\nThis is because the prometheus container runs with a read-only root\nfilesystem for security reasons.\nAlternatively, the location can be set to a standard I/O stream, e.g.\n`/dev/stdout`, to log query information to the default Prometheus log\nstream.","type":"string"},"reloadStrategy":{"description":"reloadStrategy defines the strategy used to reload the Prometheus configuration.\nIf not specified, the configuration is reloaded using the /-/reload HTTP endpoint.","type":"string","enum":["HTTP","ProcessSignal"]},"remoteRead":{"description":"remoteRead defines the list of remote read configurations.","type":"array","items":{"description":"RemoteReadSpec defines the configuration for Prometheus to read back samples\nfrom a remote endpoint.","type":"object","required":["url"],"properties":{"authorization":{"description":"authorization section for the URL.\n\nIt requires Prometheus >= v2.26.0.\n\nCannot be set at the same time as `basicAuth`, or `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"credentialsFile":{"description":"credentialsFile defines the file to read a secret from, mutually exclusive with `credentials`.","type":"string"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth configuration for the URL.\n\nCannot be set at the same time as `authorization`, or `oauth2`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerToken":{"description":"bearerToken is deprecated: this will be removed in a future release.\n*Warning: this field shouldn't be used because the token value appears\nin clear-text. Prefer using `authorization`.*","type":"string"},"bearerTokenFile":{"description":"bearerTokenFile defines the file from which to read the bearer token for the URL.\n\nDeprecated: this will be removed in a future release. Prefer using `authorization`.","type":"string"},"filterExternalLabels":{"description":"filterExternalLabels defines whether to use the external labels as selectors for the remote read endpoint.\n\nIt requires Prometheus >= v2.34.0.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.\n\nIt requires Prometheus >= v2.26.0.","type":"boolean"},"headers":{"description":"headers defines the custom HTTP headers to be sent along with each remote read request.\nBe aware that headers that are set by Prometheus itself can't be overwritten.\nOnly valid in Prometheus versions 2.26.0 and newer.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"name of the remote read queue, it must be unique if specified. The\nname is used in metrics and logging in order to differentiate read\nconfigurations.\n\nIt requires Prometheus >= v2.15.0.","type":"string"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 configuration for the URL.\n\nIt requires Prometheus >= v2.27.0.\n\nCannot be set at the same time as `authorization`, or `basicAuth`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"readRecent":{"description":"readRecent defines whether reads should be made for queries for time ranges that\nthe local storage should have complete data for.","type":"boolean"},"remoteTimeout":{"description":"remoteTimeout defines the timeout for requests to the remote read endpoint.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"requiredMatchers":{"description":"requiredMatchers defines an optional list of equality matchers which have to be present\nin a selector to query the remote read endpoint.","type":"object","additionalProperties":{"type":"string"}},"tlsConfig":{"description":"tlsConfig to use for the URL.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"caFile":{"description":"caFile defines the path to the CA cert in the Prometheus container to use for the targets.","type":"string"},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the client cert file in the Prometheus container for the targets.","type":"string"},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keyFile":{"description":"keyFile defines the path to the client key file in the Prometheus container for the targets.","type":"string"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"url":{"description":"url defines the URL of the endpoint to query from.","type":"string"}}}},"remoteWrite":{"description":"remoteWrite defines the list of remote write configurations.","type":"array","items":{"description":"RemoteWriteSpec defines the configuration to write samples from Prometheus\nto a remote endpoint.","type":"object","required":["url"],"properties":{"authorization":{"description":"authorization section for the URL.\n\nIt requires Prometheus >= v2.26.0 or Thanos >= v0.24.0.\n\nCannot be set at the same time as `sigv4`, `basicAuth`, `oauth2`, or `azureAd`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"credentialsFile":{"description":"credentialsFile defines the file to read a secret from, mutually exclusive with `credentials`.","type":"string"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"azureAd":{"description":"azureAd for the URL.\n\nIt requires Prometheus >= v2.45.0 or Thanos >= v0.31.0.\n\nCannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `sigv4`.","type":"object","properties":{"cloud":{"description":"cloud defines the Azure Cloud. Options are 'AzurePublic', 'AzureChina', or 'AzureGovernment'.","type":"string","enum":["AzureChina","AzureGovernment","AzurePublic"]},"managedIdentity":{"description":"managedIdentity defines the Azure User-assigned Managed identity.\nCannot be set at the same time as `oauth`, `sdk` or `workloadIdentity`.","type":"object","properties":{"clientId":{"description":"clientId defines the Azure User-assigned Managed identity.\n\nFor Prometheus >= 3.5.0 and Thanos >= 0.40.0, this field is allowed to be empty to support system-assigned managed identities.","type":"string","minLength":1}}},"oauth":{"description":"oauth defines the oauth config that is being used to authenticate.\nCannot be set at the same time as `managedIdentity`, `sdk` or `workloadIdentity`.\n\nIt requires Prometheus >= v2.48.0 or Thanos >= v0.31.0.","type":"object","required":["clientId","clientSecret","tenantId"],"properties":{"clientId":{"description":"clientId defines the clientId of the Azure Active Directory application that is being used to authenticate.","type":"string","minLength":1},"clientSecret":{"description":"clientSecret specifies a key of a Secret containing the client secret of the Azure Active Directory application that is being used to authenticate.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"tenantId":{"description":"tenantId is the tenant ID of the Azure Active Directory application that is being used to authenticate.","type":"string","minLength":1,"pattern":"^[0-9a-zA-Z-.]+$"}}},"scope":{"description":"scope is the custom OAuth 2.0 scope to request when acquiring tokens.\nIt requires Prometheus >= 3.9.0. Currently not supported by Thanos.","type":"string","pattern":"^[\\w\\s:/.\\\\-]+$"},"sdk":{"description":"sdk defines the Azure SDK config that is being used to authenticate.\nSee https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication\nCannot be set at the same time as `oauth`, `managedIdentity` or `workloadIdentity`.\n\nIt requires Prometheus >= v2.52.0 or Thanos >= v0.36.0.","type":"object","properties":{"tenantId":{"description":"tenantId defines the tenant ID of the azure active directory application that is being used to authenticate.","type":"string","pattern":"^[0-9a-zA-Z-.]+$"}}},"workloadIdentity":{"description":"workloadIdentity defines the Azure Workload Identity authentication.\nCannot be set at the same time as `oauth`, `managedIdentity`, or `sdk`.\n\nIt requires Prometheus >= 3.7.0. Currently not supported by Thanos.","type":"object","required":["clientId","tenantId"],"properties":{"clientId":{"description":"clientId is the clientID of the Azure Active Directory application.","type":"string","minLength":1},"tenantId":{"description":"tenantId is the tenant ID of the Azure Active Directory application.","type":"string","minLength":1}}}}},"basicAuth":{"description":"basicAuth configuration for the URL.\n\nCannot be set at the same time as `sigv4`, `authorization`, `oauth2`, or `azureAd`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerToken":{"description":"bearerToken is deprecated: this will be removed in a future release.\n*Warning: this field shouldn't be used because the token value appears\nin clear-text. Prefer using `authorization`.*","type":"string"},"bearerTokenFile":{"description":"bearerTokenFile defines the file from which to read bearer token for the URL.\n\nDeprecated: this will be removed in a future release. Prefer using `authorization`.","type":"string"},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.\n\nIt requires Prometheus >= v2.26.0 or Thanos >= v0.24.0.","type":"boolean"},"headers":{"description":"headers defines the custom HTTP headers to be sent along with each remote write request.\nBe aware that headers that are set by Prometheus itself can't be overwritten.\n\nIt requires Prometheus >= v2.25.0 or Thanos >= v0.24.0.","type":"object","additionalProperties":{"type":"string"}},"messageVersion":{"description":"messageVersion defines the Remote Write message's version to use when writing to the endpoint.\n\n`Version1.0` corresponds to the `prometheus.WriteRequest` protobuf message introduced in Remote Write 1.0.\n`Version2.0` corresponds to the `io.prometheus.write.v2.Request` protobuf message introduced in Remote Write 2.0.\n\nWhen `Version2.0` is selected, Prometheus will automatically be\nconfigured to append the metadata of scraped metrics to the WAL.\n\nBefore setting this field, consult with your remote storage provider\nwhat message version it supports.\n\nIt requires Prometheus >= v2.54.0 or Thanos >= v0.37.0.","type":"string","enum":["V1.0","V2.0"]},"metadataConfig":{"description":"metadataConfig defines how to send a series metadata to the remote storage.\n\nWhen the field is empty, **no metadata** is sent. But when the field is\nnull, metadata is sent.","type":"object","properties":{"maxSamplesPerSend":{"description":"maxSamplesPerSend defines the maximum number of metadata samples per send.\n\nIt requires Prometheus >= v2.29.0.","type":"integer","format":"int32","minimum":-1},"send":{"description":"send defines whether metric metadata is sent to the remote storage or not.","type":"boolean"},"sendInterval":{"description":"sendInterval defines how frequently metric metadata is sent to the remote storage.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"}}},"name":{"description":"name of the remote write queue, it must be unique if specified. The\nname is used in metrics and logging in order to differentiate queues.\n\nIt requires Prometheus >= v2.15.0 or Thanos >= 0.24.0.","type":"string"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 configuration for the URL.\n\nIt requires Prometheus >= v2.27.0 or Thanos >= v0.24.0.\n\nCannot be set at the same time as `sigv4`, `authorization`, `basicAuth`, or `azureAd`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"queueConfig":{"description":"queueConfig allows tuning of the remote write queue parameters.","type":"object","properties":{"batchSendDeadline":{"description":"batchSendDeadline defines the maximum time a sample will wait in buffer.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"capacity":{"description":"capacity defines the number of samples to buffer per shard before we start\ndropping them.","type":"integer"},"maxBackoff":{"description":"maxBackoff defines the maximum retry delay.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"maxRetries":{"description":"maxRetries defines the maximum number of times to retry a batch on recoverable errors.","type":"integer"},"maxSamplesPerSend":{"description":"maxSamplesPerSend defines the maximum number of samples per send.","type":"integer"},"maxShards":{"description":"maxShards defines the maximum number of shards, i.e. amount of concurrency.","type":"integer"},"minBackoff":{"description":"minBackoff defines the initial retry delay. Gets doubled for every retry.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"minShards":{"description":"minShards defines the minimum number of shards, i.e. amount of concurrency.","type":"integer"},"retryOnRateLimit":{"description":"retryOnRateLimit defines the retry upon receiving a 429 status code from the remote-write storage.\n\nThis is an *experimental feature*, it may change in any upcoming release\nin a breaking way.","type":"boolean"},"sampleAgeLimit":{"description":"sampleAgeLimit drops samples older than the limit.\nIt requires Prometheus >= v2.50.0 or Thanos >= v0.32.0.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"}}},"remoteTimeout":{"description":"remoteTimeout defines the timeout for requests to the remote write endpoint.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"roundRobinDNS":{"description":"roundRobinDNS controls the DNS resolution behavior for remote-write connections.\nWhen enabled:\n  - The remote-write mechanism will resolve the hostname via DNS.\n  - It will randomly select one of the resolved IP addresses and connect to it.\n\nWhen disabled (default behavior):\n  - The Go standard library will handle hostname resolution.\n  - It will attempt connections to each resolved IP address sequentially.\n\nNote: The connection timeout applies to the entire resolution and connection process.\n\n\tIf disabled, the timeout is distributed across all connection attempts.\n\nIt requires Prometheus >= v3.1.0 or Thanos >= v0.38.0.","type":"boolean"},"sendExemplars":{"description":"sendExemplars enables sending of exemplars over remote write. Note that\nexemplar-storage itself must be enabled using the `spec.enableFeatures`\noption for exemplars to be scraped in the first place.\n\nIt requires Prometheus >= v2.27.0 or Thanos >= v0.24.0.","type":"boolean"},"sendNativeHistograms":{"description":"sendNativeHistograms enables sending of native histograms, also known as sparse histograms\nover remote write.\n\nIt requires Prometheus >= v2.40.0 or Thanos >= v0.30.0.","type":"boolean"},"sigv4":{"description":"sigv4 defines the AWS's Signature Verification 4 for the URL.\n\nIt requires Prometheus >= v2.26.0 or Thanos >= v0.24.0.\n\nCannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `azureAd`.","type":"object","properties":{"accessKey":{"description":"accessKey defines the AWS API key. If not specified, the environment variable\n`AWS_ACCESS_KEY_ID` is used.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"profile":{"description":"profile defines the named AWS profile used to authenticate.","type":"string"},"region":{"description":"region defines the AWS region. If blank, the region from the default credentials chain used.","type":"string"},"roleArn":{"description":"roleArn defines the named AWS profile used to authenticate.","type":"string"},"secretKey":{"description":"secretKey defines the AWS API secret. If not specified, the environment\nvariable `AWS_SECRET_ACCESS_KEY` is used.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"useFIPSSTSEndpoint":{"description":"useFIPSSTSEndpoint defines the FIPS mode for the AWS STS endpoint.\nIt requires Prometheus >= v2.54.0.","type":"boolean"}}},"tlsConfig":{"description":"tlsConfig to use for the URL.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"caFile":{"description":"caFile defines the path to the CA cert in the Prometheus container to use for the targets.","type":"string"},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the client cert file in the Prometheus container for the targets.","type":"string"},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keyFile":{"description":"keyFile defines the path to the client key file in the Prometheus container for the targets.","type":"string"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"url":{"description":"url defines the URL of the endpoint to send samples to.","type":"string","minLength":1},"writeRelabelConfigs":{"description":"writeRelabelConfigs defines the list of remote write relabel configurations.","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}}}}},"remoteWriteReceiverMessageVersions":{"description":"remoteWriteReceiverMessageVersions list of the protobuf message versions to accept when receiving the\nremote writes.\n\nIt requires Prometheus >= v2.54.0.","type":"array","minItems":1,"items":{"type":"string","enum":["V1.0","V2.0"]},"x-kubernetes-list-type":"set"},"replicaExternalLabelName":{"description":"replicaExternalLabelName defines the name of Prometheus external label used to denote the replica name.\nThe external label will _not_ be added when the field is set to the\nempty string (`\"\"`).\n\nDefault: \"prometheus_replica\"","type":"string"},"replicas":{"description":"replicas defines the number of replicas of each shard to deploy for a Prometheus deployment.\n`spec.replicas` multiplied by `spec.shards` is the total number of Pods\ncreated.\n\nDefault: 1","type":"integer","format":"int32"},"resources":{"description":"resources defines the resources requests and limits of the 'prometheus' container.","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"retention":{"description":"retention defines how long to retain the Prometheus data.\n\nDefault: \"24h\" if `spec.retention` and `spec.retentionSize` are empty.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"retentionSize":{"description":"retentionSize defines the maximum number of bytes used by the Prometheus data.","type":"string","pattern":"(^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$"},"routePrefix":{"description":"routePrefix defines the route prefix Prometheus registers HTTP handlers for.\n\nThis is useful when using `spec.externalURL`, and a proxy is rewriting\nHTTP routes of a request, and the actual ExternalURL is still true, but\nthe server serves requests under a different route prefix. For example\nfor use with `kubectl proxy`.","type":"string"},"ruleNamespaceSelector":{"description":"ruleNamespaceSelector defines the namespaces to match for PrometheusRule discovery. An empty label selector\nmatches all namespaces. A null label selector matches the current\nnamespace only.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"ruleQueryOffset":{"description":"ruleQueryOffset defines the offset the rule evaluation timestamp of this particular group by the specified duration into the past.\nIt requires Prometheus >= v2.53.0.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"ruleSelector":{"description":"ruleSelector defines the prometheusRule objects to be selected for rule evaluation. An empty\nlabel selector matches all objects. A null label selector matches no\nobjects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"rules":{"description":"rules defines the configuration of the Prometheus rules' engine.","type":"object","properties":{"alert":{"description":"alert defines the parameters of the Prometheus rules' engine.\n\nAny update to these parameters trigger a restart of the pods.","type":"object","properties":{"forGracePeriod":{"description":"forGracePeriod defines the minimum duration between alert and restored 'for' state.\n\nThis is maintained only for alerts with a configured 'for' time greater\nthan the grace period.","type":"string"},"forOutageTolerance":{"description":"forOutageTolerance defines the max time to tolerate prometheus outage for restoring 'for' state of\nalert.","type":"string"},"resendDelay":{"description":"resendDelay defines the minimum amount of time to wait before resending an alert to\nAlertmanager.","type":"string"}}}}},"runtime":{"description":"runtime defines the values for the Prometheus process behavior","type":"object","properties":{"goGC":{"description":"goGC defines the Go garbage collection target percentage. Lowering this number may increase the CPU usage.\nSee: https://tip.golang.org/doc/gc-guide#GOGC","type":"integer","format":"int32","minimum":-1}}},"sampleLimit":{"description":"sampleLimit defines per-scrape limit on number of scraped samples that will be accepted.\nOnly valid in Prometheus versions 2.45.0 and newer.\n\nNote that the global limit only applies to scrape objects that don't specify an explicit limit value.\nIf you want to enforce a maximum limit for all scrape objects, refer to enforcedSampleLimit.","type":"integer","format":"int64"},"scrapeClasses":{"description":"scrapeClasses defines the list of scrape classes to expose to scraping objects such as\nPodMonitors, ServiceMonitors, Probes and ScrapeConfigs.\n\nThis is an *experimental feature*, it may change in any upcoming release\nin a breaking way.","type":"array","items":{"type":"object","required":["name"],"properties":{"attachMetadata":{"description":"attachMetadata defines additional metadata to the discovered targets.\nWhen the scrape object defines its own configuration, it takes\nprecedence over the scrape class configuration.","type":"object","properties":{"node":{"description":"node when set to true, Prometheus attaches node metadata to the discovered\ntargets.\n\nThe Prometheus service account must have the `list` and `watch`\npermissions on the `Nodes` objects.","type":"boolean"}}},"authorization":{"description":"authorization section for the ScrapeClass.\nIt will only apply if the scrape resource doesn't specify any Authorization.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"credentialsFile":{"description":"credentialsFile defines the file to read a secret from, mutually exclusive with `credentials`.","type":"string"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"default":{"description":"default defines that the scrape applies to all scrape objects that\ndon't configure an explicit scrape class name.\n\nOnly one scrape class can be set as the default.","type":"boolean"},"fallbackScrapeProtocol":{"description":"fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type.\nIt will only apply if the scrape resource doesn't specify any FallbackScrapeProtocol\n\nIt requires Prometheus >= v3.0.0.","type":"string","enum":["PrometheusProto","OpenMetricsText0.0.1","OpenMetricsText1.0.0","PrometheusText0.0.4","PrometheusText1.0.0"]},"metricRelabelings":{"description":"metricRelabelings defines the relabeling rules to apply to all samples before ingestion.\n\nThe Operator adds the scrape class metric relabelings defined here.\nThen the Operator adds the target-specific metric relabelings defined in ServiceMonitors, PodMonitors, Probes and ScrapeConfigs.\nThen the Operator adds namespace enforcement relabeling rule, specified in '.spec.enforcedNamespaceLabel'.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"name":{"description":"name of the scrape class.","type":"string","minLength":1},"relabelings":{"description":"relabelings defines the relabeling rules to apply to all scrape targets.\n\nThe Operator automatically adds relabelings for a few standard Kubernetes fields\nlike `__meta_kubernetes_namespace` and `__meta_kubernetes_service_name`.\nThen the Operator adds the scrape class relabelings defined here.\nThen the Operator adds the target-specific relabelings defined in the scrape object.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"tlsConfig":{"description":"tlsConfig defines the TLS settings to use for the scrape. When the\nscrape objects define their own CA, certificate and/or key, they take\nprecedence over the corresponding scrape class fields.\n\nFor now only the `caFile`, `certFile` and `keyFile` fields are supported.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"caFile":{"description":"caFile defines the path to the CA cert in the Prometheus container to use for the targets.","type":"string"},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the client cert file in the Prometheus container for the targets.","type":"string"},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keyFile":{"description":"keyFile defines the path to the client key file in the Prometheus container for the targets.","type":"string"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"scrapeClassicHistograms":{"description":"scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram.\n\nNotice: `scrapeClassicHistograms` corresponds to the `always_scrape_classic_histograms` field in the Prometheus configuration.\n\nIt requires Prometheus >= v3.5.0.","type":"boolean"},"scrapeConfigNamespaceSelector":{"description":"scrapeConfigNamespaceSelector defines the namespaces to match for ScrapeConfig discovery. An empty label selector\nmatches all namespaces. A null label selector matches the current\nnamespace only.\n\nNote that the ScrapeConfig custom resource definition is currently at Alpha level.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"scrapeConfigSelector":{"description":"scrapeConfigSelector defines the scrapeConfigs to be selected for target discovery. An empty label\nselector matches all objects. A null label selector matches no objects.\n\nIf `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector`\nand `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged.\nThe Prometheus operator will ensure that the Prometheus configuration's\nSecret exists, but it is the responsibility of the user to provide the raw\ngzipped Prometheus configuration under the `prometheus.yaml.gz` key.\nThis behavior is *deprecated* and will be removed in the next major version\nof the custom resource definition. It is recommended to use\n`spec.additionalScrapeConfigs` instead.\n\nNote that the ScrapeConfig custom resource definition is currently at Alpha level.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"scrapeFailureLogFile":{"description":"scrapeFailureLogFile defines the file to which scrape failures are logged.\nReloading the configuration will reopen the file.\n\nIf the filename has an empty path, e.g. 'file.log', The Prometheus Pods\nwill mount the file into an emptyDir volume at `/var/log/prometheus`.\nIf a full path is provided, e.g. '/var/log/prometheus/file.log', you\nmust mount a volume in the specified directory and it must be writable.\nIt requires Prometheus >= v2.55.0.","type":"string","minLength":1},"scrapeInterval":{"description":"scrapeInterval defines interval between consecutive scrapes.\n\nDefault: \"30s\"","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"scrapeNativeHistograms":{"description":"scrapeNativeHistograms defines whether to enable scraping of native histograms.\nIt requires Prometheus >= v3.8.0.","type":"boolean"},"scrapeProtocols":{"description":"scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the\nprotocols supported by Prometheus in order of preference (from most to least preferred).\n\nIf unset, Prometheus uses its default value.\n\nIt requires Prometheus >= v2.49.0.\n\n`PrometheusText1.0.0` requires Prometheus >= v3.0.0.","type":"array","items":{"description":"ScrapeProtocol represents a protocol used by Prometheus for scraping metrics.\nSupported values are:\n* `OpenMetricsText0.0.1`\n* `OpenMetricsText1.0.0`\n* `PrometheusProto`\n* `PrometheusText0.0.4`\n* `PrometheusText1.0.0`","type":"string","enum":["PrometheusProto","OpenMetricsText0.0.1","OpenMetricsText1.0.0","PrometheusText0.0.4","PrometheusText1.0.0"]},"x-kubernetes-list-type":"set"},"scrapeTimeout":{"description":"scrapeTimeout defines the number of seconds to wait until a scrape request times out.\nThe value cannot be greater than the scrape interval otherwise the operator will reject the resource.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"secrets":{"description":"secrets defines a list of Secrets in the same namespace as the Prometheus\nobject, which shall be mounted into the Prometheus Pods.\nEach Secret is added to the StatefulSet definition as a volume named `secret-<secret-name>`.\nThe Secrets are mounted into /etc/prometheus/secrets/<secret-name> in the 'prometheus' container.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"securityContext":{"description":"securityContext holds pod-level security attributes and common container settings.\nThis defaults to the default PodSecurityContext.","type":"object","properties":{"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".","type":"string"},"type":{"description":"type indicates which kind of AppArmor profile will be applied.\nValid options are:\n  Localhost - a profile pre-loaded on the node.\n  RuntimeDefault - the container runtime's default profile.\n  Unconfined - no AppArmor enforcement.","type":"string"}}},"fsGroup":{"description":"A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"fsGroupChangePolicy":{"description":"fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxChangePolicy":{"description":"seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.\nIt has no effect on nodes that do not support SELinux or to volumes does not support SELinux.\nValid values are \"MountOption\" and \"Recursive\".\n\n\"Recursive\" means relabeling of all files on all Pod volumes by the container runtime.\nThis may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.\n\n\"MountOption\" mounts all eligible Pod volumes with `-o context` mount option.\nThis requires all Pods that share the same volume to use the same SELinux label.\nIt is not possible to share the same volume among privileged and unprivileged Pods.\nEligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes\nwhose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their\nCSIDriver instance. Other volumes are always re-labelled recursively.\n\"MountOption\" value is allowed only when SELinuxMount feature gate is enabled.\n\nIf not specified and SELinuxMount feature gate is enabled, \"MountOption\" is used.\nIf not specified and SELinuxMount feature gate is disabled, \"MountOption\" is used for ReadWriteOncePod volumes\nand \"Recursive\" for all other volumes.\n\nThis field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.\n\nAll Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"seLinuxOptions":{"description":"The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in SecurityContext.  If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"supplementalGroups":{"description":"A list of groups applied to the first process run in each container, in\naddition to the container's primary GID and fsGroup (if specified).  If\nthe SupplementalGroupsPolicy feature is enabled, the\nsupplementalGroupsPolicy field determines whether these are in addition\nto or instead of any group memberships defined in the container image.\nIf unspecified, no additional groups are added, though group memberships\ndefined in the container image may still be used, depending on the\nsupplementalGroupsPolicy field.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"type":"integer","format":"int64"},"x-kubernetes-list-type":"atomic"},"supplementalGroupsPolicy":{"description":"Defines how supplemental groups of the first container processes are calculated.\nValid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used.\n(Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled\nand the container runtime must implement support for this feature.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"sysctls":{"description":"Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"description":"Sysctl defines a kernel parameter to be set","type":"object","required":["name","value"],"properties":{"name":{"description":"Name of a property to set","type":"string"},"value":{"description":"Value of a property to set","type":"string"}}},"x-kubernetes-list-type":"atomic"},"windowsOptions":{"description":"The Windows specific settings applied to all containers.\nIf unspecified, the options within a container's SecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.","type":"object","properties":{"gmsaCredentialSpec":{"description":"GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.","type":"string"},"gmsaCredentialSpecName":{"description":"GMSACredentialSpecName is the name of the GMSA credential spec to use.","type":"string"},"hostProcess":{"description":"HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.","type":"boolean"},"runAsUserName":{"description":"The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"string"}}}}},"serviceAccountName":{"description":"serviceAccountName is the name of the ServiceAccount to use to run the\nPrometheus Pods.","type":"string"},"serviceDiscoveryRole":{"description":"serviceDiscoveryRole defines the service discovery role used to discover targets from\n`ServiceMonitor` objects and Alertmanager endpoints.\n\nIf set, the value should be either \"Endpoints\" or \"EndpointSlice\".\nIf unset, the operator assumes the \"Endpoints\" role.","type":"string","enum":["Endpoints","EndpointSlice"]},"serviceMonitorNamespaceSelector":{"description":"serviceMonitorNamespaceSelector defines the namespaces to match for ServicedMonitors discovery. An empty label selector\nmatches all namespaces. A null label selector (default value) matches the current\nnamespace only.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"serviceMonitorSelector":{"description":"serviceMonitorSelector defines the serviceMonitors to be selected for target discovery. An empty label\nselector matches all objects. A null label selector matches no objects.\n\nIf `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector`\nand `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged.\nThe Prometheus operator will ensure that the Prometheus configuration's\nSecret exists, but it is the responsibility of the user to provide the raw\ngzipped Prometheus configuration under the `prometheus.yaml.gz` key.\nThis behavior is *deprecated* and will be removed in the next major version\nof the custom resource definition. It is recommended to use\n`spec.additionalScrapeConfigs` instead.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"serviceName":{"description":"serviceName defines the name of the service name used by the underlying StatefulSet(s) as the governing service.\nIf defined, the Service  must be created before the Prometheus/PrometheusAgent resource in the same namespace and it must define a selector that matches the pod labels.\nIf empty, the operator will create and manage a headless service named `prometheus-operated` for Prometheus resources,\nor `prometheus-agent-operated` for PrometheusAgent resources.\nWhen deploying multiple Prometheus/PrometheusAgent resources in the same namespace, it is recommended to specify a different value for each.\nSee https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-network-id for more details.","type":"string","minLength":1},"sha":{"description":"sha is deprecated: use 'spec.image' instead. The image's digest can be specified as part of the image name.","type":"string"},"shardRetentionPolicy":{"description":"shardRetentionPolicy defines the retention policy for the Prometheus shards.\n(Alpha) Using this field requires the 'PrometheusShardRetentionPolicy' feature gate to be enabled.\n\nThe final goals for this feature can be seen at https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/proposals/202310-shard-autoscaling.md#graceful-scale-down-of-prometheus-servers,\nhowever, the feature is not yet fully implemented in this PR. The limitation being:\n* Retention duration is not settable, for now, shards are retained forever.","type":"object","properties":{"retain":{"description":"retain defines the config for retention when the retention policy is set to `Retain`.\nThis field is ineffective as of now.","type":"object","required":["retentionPeriod"],"properties":{"retentionPeriod":{"description":"retentionPeriod defines the retentionPeriod for shard retention policy.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"}}},"whenScaled":{"description":"whenScaled defines the retention policy when the Prometheus shards are scaled down.\n* `Delete`, the operator will delete the pods from the scaled-down shard(s).\n* `Retain`, the operator will keep the pods from the scaled-down shard(s), so the data can still be queried.\n\nIf not defined, the operator assumes the `Delete` value.","type":"string","enum":["Retain","Delete"]}}},"shards":{"description":"shards defines the number of shards to distribute the scraped targets onto.\n\n`spec.replicas` multiplied by `spec.shards` is the total number of Pods\nbeing created.\n\nWhen not defined, the operator assumes only one shard.\n\nNote that scaling down shards will not reshard data onto the remaining\ninstances, it must be manually moved. Increasing shards will not reshard\ndata either but it will continue to be available from the same\ninstances. To query globally, use either\n* Thanos sidecar + querier for query federation and Thanos Ruler for rules.\n* Remote-write to send metrics to a central location.\n\nBy default, the sharding of targets is performed on:\n* The `__address__` target's metadata label for PodMonitor,\nServiceMonitor and ScrapeConfig resources.\n* The `__param_target__` label for Probe resources.\n\nUsers can define their own sharding implementation by setting the\n`__tmp_hash` label during the target discovery with relabeling\nconfiguration (either in the monitoring resources or via scrape class).\n\nYou can also disable sharding on a specific target by setting the\n`__tmp_disable_sharding` label with relabeling configuration. When\nthe label value isn't empty, all Prometheus shards will scrape the target.","type":"integer","format":"int32"},"storage":{"description":"storage defines the storage used by Prometheus.","type":"object","properties":{"disableMountSubPath":{"description":"disableMountSubPath deprecated: subPath usage will be removed in a future release.","type":"boolean"},"emptyDir":{"description":"emptyDir to be used by the StatefulSet.\nIf specified, it takes precedence over `ephemeral` and `volumeClaimTemplate`.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir","type":"object","properties":{"medium":{"description":"medium represents what type of storage medium should back this directory.\nThe default is \"\" which means to use the node's default medium.\nMust be an empty string (default) or Memory.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","type":"string"},"sizeLimit":{"description":"sizeLimit is the total amount of local storage required for this EmptyDir volume.\nThe size limit is also applicable for memory medium.\nThe maximum usage on memory medium EmptyDir would be the minimum value between\nthe SizeLimit specified here and the sum of memory limits of all containers in a pod.\nThe default is nil which means that the limit is undefined.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"ephemeral":{"description":"ephemeral to be used by the StatefulSet.\nThis is a beta field in k8s 1.21 and GA in 1.15.\nFor lower versions, starting with k8s 1.19, it requires enabling the GenericEphemeralVolume feature gate.\nMore info: https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes","type":"object","properties":{"volumeClaimTemplate":{"description":"Will be used to create a stand-alone PVC to provision the volume.\nThe pod in which this EphemeralVolumeSource is embedded will be the\nowner of the PVC, i.e. the PVC will be deleted together with the\npod.  The name of the PVC will be `<pod name>-<volume name>` where\n`<volume name>` is the name from the `PodSpec.Volumes` array\nentry. Pod validation will reject the pod if the concatenated name\nis not valid for a PVC (for example, too long).\n\nAn existing PVC with that name that is not owned by the pod\nwill *not* be used for the pod to avoid using an unrelated\nvolume by mistake. Starting the pod is then blocked until\nthe unrelated PVC is removed. If such a pre-created PVC is\nmeant to be used by the pod, the PVC has to updated with an\nowner reference to the pod once the pod exists. Normally\nthis should not be necessary, but it may be useful when\nmanually reconstructing a broken cluster.\n\nThis field is read-only and no changes will be made by Kubernetes\nto the PVC after it has been created.\n\nRequired, must not be nil.","type":"object","required":["spec"],"properties":{"metadata":{"description":"May contain labels and annotations that will be copied into the PVC\nwhen creating it. No other fields are allowed and will be rejected during\nvalidation.","type":"object"},"spec":{"description":"The specification for the PersistentVolumeClaim. The entire content is\ncopied unchanged into the PVC that gets created from this\ntemplate. The same fields as in a PersistentVolumeClaim\nare also valid here.","type":"object","properties":{"accessModes":{"description":"accessModes contains the desired access modes the volume should have.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"description":"dataSource field can be used to specify either:\n* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)\n* An existing PVC (PersistentVolumeClaim)\nIf the provisioner or an external controller can support the specified data source,\nit will create a new volume based on the contents of the specified data source.\nWhen the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,\nand dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.\nIf the namespace is specified, then dataSourceRef will not be copied to dataSource.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"description":"dataSourceRef specifies the object from which to populate the volume with data, if a non-empty\nvolume is desired. This may be any object from a non-empty API group (non\ncore object) or a PersistentVolumeClaim object.\nWhen this field is specified, volume binding will only succeed if the type of\nthe specified object matches some installed volume populator or dynamic\nprovisioner.\nThis field will replace the functionality of the dataSource field and as such\nif both fields are non-empty, they must have the same value. For backwards\ncompatibility, when namespace isn't specified in dataSourceRef,\nboth fields (dataSource and dataSourceRef) will be set to the same\nvalue automatically if one of them is empty and the other is non-empty.\nWhen namespace is specified in dataSourceRef,\ndataSource isn't set to the same value and must be empty.\nThere are three important differences between dataSource and dataSourceRef:\n* While dataSource only allows two specific types of objects, dataSourceRef\n  allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n  preserves all values, and generates an error if a disallowed value is\n  specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n  in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.\n(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"},"namespace":{"description":"Namespace is the namespace of resource being referenced\nNote that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.\n(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"string"}}},"resources":{"description":"resources represents the minimum resources the volume should have.\nIf RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements\nthat are lower than previous value but must still be higher than capacity recorded in the\nstatus field of the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources","type":"object","properties":{"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"description":"selector is a label query over volumes to consider for binding.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"description":"storageClassName is the name of the StorageClass required by the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1","type":"string"},"volumeAttributesClassName":{"description":"volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string or nil value indicates that no\nVolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,\nthis field can be reset to its previous value (including nil) to cancel the modification.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/","type":"string"},"volumeMode":{"description":"volumeMode defines what type of volume is required by the claim.\nValue of Filesystem is implied when not included in claim spec.","type":"string"},"volumeName":{"description":"volumeName is the binding reference to the PersistentVolume backing this claim.","type":"string"}}}}}}},"volumeClaimTemplate":{"description":"volumeClaimTemplate defines the PVC spec to be used by the Prometheus StatefulSets.\nThe easiest way to use a volume that cannot be automatically provisioned\nis to use a label selector alongside manually created PersistentVolumes.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"metadata defines EmbeddedMetadata contains metadata relevant to an EmbeddedResource.","type":"object","properties":{"annotations":{"description":"annotations defines an unstructured key value map stored with a resource that may be\nset by external tools to store and retrieve arbitrary metadata. They are not\nqueryable and should be preserved when modifying objects.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"labels define the map of string keys and values that can be used to organize and categorize\n(scope and select) objects. May match selectors of replication controllers\nand services.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/","type":"string"}}},"spec":{"description":"spec defines the specification of the  characteristics of a volume requested by a pod author.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"object","properties":{"accessModes":{"description":"accessModes contains the desired access modes the volume should have.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"description":"dataSource field can be used to specify either:\n* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)\n* An existing PVC (PersistentVolumeClaim)\nIf the provisioner or an external controller can support the specified data source,\nit will create a new volume based on the contents of the specified data source.\nWhen the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,\nand dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.\nIf the namespace is specified, then dataSourceRef will not be copied to dataSource.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"description":"dataSourceRef specifies the object from which to populate the volume with data, if a non-empty\nvolume is desired. This may be any object from a non-empty API group (non\ncore object) or a PersistentVolumeClaim object.\nWhen this field is specified, volume binding will only succeed if the type of\nthe specified object matches some installed volume populator or dynamic\nprovisioner.\nThis field will replace the functionality of the dataSource field and as such\nif both fields are non-empty, they must have the same value. For backwards\ncompatibility, when namespace isn't specified in dataSourceRef,\nboth fields (dataSource and dataSourceRef) will be set to the same\nvalue automatically if one of them is empty and the other is non-empty.\nWhen namespace is specified in dataSourceRef,\ndataSource isn't set to the same value and must be empty.\nThere are three important differences between dataSource and dataSourceRef:\n* While dataSource only allows two specific types of objects, dataSourceRef\n  allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n  preserves all values, and generates an error if a disallowed value is\n  specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n  in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.\n(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"},"namespace":{"description":"Namespace is the namespace of resource being referenced\nNote that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.\n(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"string"}}},"resources":{"description":"resources represents the minimum resources the volume should have.\nIf RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements\nthat are lower than previous value but must still be higher than capacity recorded in the\nstatus field of the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources","type":"object","properties":{"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"description":"selector is a label query over volumes to consider for binding.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"description":"storageClassName is the name of the StorageClass required by the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1","type":"string"},"volumeAttributesClassName":{"description":"volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string or nil value indicates that no\nVolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,\nthis field can be reset to its previous value (including nil) to cancel the modification.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/","type":"string"},"volumeMode":{"description":"volumeMode defines what type of volume is required by the claim.\nValue of Filesystem is implied when not included in claim spec.","type":"string"},"volumeName":{"description":"volumeName is the binding reference to the PersistentVolume backing this claim.","type":"string"}}},"status":{"description":"status is deprecated: this field is never set.","type":"object","properties":{"accessModes":{"description":"accessModes contains the actual access modes the volume backing the PVC has.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"allocatedResourceStatuses":{"description":"allocatedResourceStatuses stores status of resource being resized for the given PVC.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.","type":"object","additionalProperties":{"description":"When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource\nthat it does not recognizes, then it should ignore that update and let other controllers\nhandle it.","type":"string"},"x-kubernetes-map-type":"granular"},"allocatedResources":{"description":"allocatedResources tracks the resources allocated to a PVC including its capacity.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation\nis requested.\nFor storage quota, the larger value from allocatedResources and PVC.spec.resources is used.\nIf allocatedResources is not set, PVC.spec.resources alone is used for quota calculation.\nIf a volume expansion capacity request is lowered, allocatedResources is only\nlowered if there are no expansion operations in progress and if the actual volume capacity\nis equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"capacity":{"description":"capacity represents the actual resources of the underlying volume.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"conditions":{"description":"conditions is the current Condition of persistent volume claim. If underlying persistent volume is being\nresized then the Condition will be set to 'Resizing'.","type":"array","items":{"description":"PersistentVolumeClaimCondition contains details about state of pvc","type":"object","required":["status","type"],"properties":{"lastProbeTime":{"description":"lastProbeTime is the time we probed the condition.","type":"string","format":"date-time"},"lastTransitionTime":{"description":"lastTransitionTime is the time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"message is the human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"reason is a unique, this should be a short, machine understandable string that gives the reason\nfor condition's last transition. If it reports \"Resizing\" that means the underlying\npersistent volume is being resized.","type":"string"},"status":{"description":"Status is the status of the condition.\nCan be True, False, Unknown.\nMore info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=state%20of%20pvc-,conditions.status,-(string)%2C%20required","type":"string"},"type":{"description":"Type is the type of the condition.\nMore info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=set%20to%20%27ResizeStarted%27.-,PersistentVolumeClaimCondition,-contains%20details%20about","type":"string"}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"currentVolumeAttributesClassName":{"description":"currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.\nWhen unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim","type":"string"},"modifyVolumeStatus":{"description":"ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.\nWhen this is unset, there is no ModifyVolume operation being attempted.","type":"object","required":["status"],"properties":{"status":{"description":"status is the status of the ControllerModifyVolume operation. It can be in any of following states:\n - Pending\n   Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as\n   the specified VolumeAttributesClass not existing.\n - InProgress\n   InProgress indicates that the volume is being modified.\n - Infeasible\n  Infeasible indicates that the request has been rejected as invalid by the CSI driver. To\n\t  resolve the error, a valid VolumeAttributesClass needs to be specified.\nNote: New statuses can be added in the future. Consumers should check for unknown statuses and fail appropriately.","type":"string"},"targetVolumeAttributesClassName":{"description":"targetVolumeAttributesClassName is the name of the VolumeAttributesClass the PVC currently being reconciled","type":"string"}}},"phase":{"description":"phase represents the current phase of PersistentVolumeClaim.","type":"string"}}}}}}},"tag":{"description":"tag is deprecated: use 'spec.image' instead. The image's tag can be specified as part of the image name.","type":"string"},"targetLimit":{"description":"targetLimit defines a limit on the number of scraped targets that will be accepted.\nOnly valid in Prometheus versions 2.45.0 and newer.\n\nNote that the global limit only applies to scrape objects that don't specify an explicit limit value.\nIf you want to enforce a maximum limit for all scrape objects, refer to enforcedTargetLimit.","type":"integer","format":"int64"},"terminationGracePeriodSeconds":{"description":"terminationGracePeriodSeconds defines the optional duration in seconds the pod needs to terminate gracefully.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down) which may lead to data corruption.\n\nDefaults to 600 seconds.","type":"integer","format":"int64","minimum":0},"thanos":{"description":"thanos defines the configuration of the optional Thanos sidecar.","type":"object","properties":{"additionalArgs":{"description":"additionalArgs allows setting additional arguments for the Thanos container.\nThe arguments are passed as-is to the Thanos container which may cause issues\nif they are invalid or not supported the given Thanos version.\nIn case of an argument conflict (e.g. an argument which is already set by the\noperator itself) or when providing an invalid argument, the reconciliation will\nfail and an error will be logged.","type":"array","items":{"description":"Argument as part of the AdditionalArgs list.","type":"object","required":["name"],"properties":{"name":{"description":"name of the argument, e.g. \"scrape.discovery-reload-interval\".","type":"string","minLength":1},"value":{"description":"value defines the argument value, e.g. 30s. Can be empty for name-only arguments (e.g. --storage.tsdb.no-lockfile)","type":"string"}}}},"baseImage":{"description":"baseImage is deprecated: use 'image' instead.","type":"string"},"blockSize":{"description":"blockSize controls the size of TSDB blocks produced by Prometheus.\nThe default value is 2h to match the upstream Prometheus defaults.\n\nWARNING: Changing the block duration can impact the performance and\nefficiency of the entire Prometheus/Thanos stack due to how it interacts\nwith memory and Thanos compactors. It is recommended to keep this value\nset to a multiple of 120 times your longest scrape or rule interval. For\nexample, 30s * 120 = 1h.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"getConfigInterval":{"description":"getConfigInterval defines how often to retrieve the Prometheus configuration.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"getConfigTimeout":{"description":"getConfigTimeout defines the maximum time to wait when retrieving the Prometheus configuration.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"grpcListenLocal":{"description":"grpcListenLocal defines when true, the Thanos sidecar listens on the loopback interface instead\nof the Pod IP's address for the gRPC endpoints.\n\nIt has no effect if `listenLocal` is true.","type":"boolean"},"grpcServerTlsConfig":{"description":"grpcServerTlsConfig defines the TLS parameters for the gRPC server providing the StoreAPI.\n\nNote: Currently only the `caFile`, `certFile`, and `keyFile` fields are supported.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"caFile":{"description":"caFile defines the path to the CA cert in the Prometheus container to use for the targets.","type":"string"},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the client cert file in the Prometheus container for the targets.","type":"string"},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keyFile":{"description":"keyFile defines the path to the client key file in the Prometheus container for the targets.","type":"string"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"httpListenLocal":{"description":"httpListenLocal when true, the Thanos sidecar listens on the loopback interface instead\nof the Pod IP's address for the HTTP endpoints.\n\nIt has no effect if `listenLocal` is true.","type":"boolean"},"image":{"description":"image defines the container image name for Thanos. If specified, it takes precedence over\nthe `spec.thanos.baseImage`, `spec.thanos.tag` and `spec.thanos.sha`\nfields.\n\nSpecifying `spec.thanos.version` is still necessary to ensure the\nPrometheus Operator knows which version of Thanos is being configured.\n\nIf neither `spec.thanos.image` nor `spec.thanos.baseImage` are defined,\nthe operator will use the latest upstream version of Thanos available at\nthe time when the operator was released.","type":"string"},"listenLocal":{"description":"listenLocal is deprecated: use `grpcListenLocal` and `httpListenLocal` instead.","type":"boolean"},"logFormat":{"description":"logFormat for the Thanos sidecar.","type":"string","enum":["","logfmt","json"]},"logLevel":{"description":"logLevel for the Thanos sidecar.","type":"string","enum":["","debug","info","warn","error"]},"minTime":{"description":"minTime defines the start of time range limit served by the Thanos sidecar's StoreAPI.\nThe field's value should be a constant time in RFC3339 format or a time\nduration relative to current time, such as -1d or 2h45m. Valid duration\nunits are ms, s, m, h, d, w, y.","type":"string"},"objectStorageConfig":{"description":"objectStorageConfig defines the Thanos sidecar's configuration to upload TSDB blocks to object storage.\n\nMore info: https://thanos.io/tip/thanos/storage.md/\n\nobjectStorageConfigFile takes precedence over this field.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"objectStorageConfigFile":{"description":"objectStorageConfigFile defines the Thanos sidecar's configuration file to upload TSDB blocks to object storage.\n\nMore info: https://thanos.io/tip/thanos/storage.md/\n\nThis field takes precedence over objectStorageConfig.","type":"string"},"readyTimeout":{"description":"readyTimeout defines the maximum time that the Thanos sidecar will wait for\nPrometheus to start.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"resources":{"description":"resources defines the resources requests and limits of the Thanos sidecar.","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"sha":{"description":"sha is deprecated: use 'image' instead.  The image digest can be specified as part of the image name.","type":"string"},"tag":{"description":"tag is deprecated: use 'image' instead. The image's tag can be specified as as part of the image name.","type":"string"},"tracingConfig":{"description":"tracingConfig defines the tracing configuration for the Thanos sidecar.\n\n`tracingConfigFile` takes precedence over this field.\n\nMore info: https://thanos.io/tip/thanos/tracing.md/\n\nThis is an *experimental feature*, it may change in any upcoming release\nin a breaking way.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"tracingConfigFile":{"description":"tracingConfigFile defines the tracing configuration file for the Thanos sidecar.\n\nThis field takes precedence over `tracingConfig`.\n\nMore info: https://thanos.io/tip/thanos/tracing.md/\n\nThis is an *experimental feature*, it may change in any upcoming release\nin a breaking way.","type":"string"},"version":{"description":"version of Thanos being deployed. The operator uses this information\nto generate the Prometheus StatefulSet + configuration files.\n\nIf not specified, the operator assumes the latest upstream release of\nThanos available at the time when the version of the operator was\nreleased.","type":"string"},"volumeMounts":{"description":"volumeMounts allows configuration of additional VolumeMounts for Thanos.\nVolumeMounts specified will be appended to other VolumeMounts in the\n'thanos-sidecar' container.","type":"array","items":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["mountPath","name"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted.  Must\nnot contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host\nto container and the other way around.\nWhen not set, MountPropagationNone is used.\nThis field is beta in 1.10.\nWhen RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified\n(which defaults to None).","type":"string"},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified).\nDefaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled\nrecursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made\nrecursively read-only.  If this field is set to IfPossible, the mount is made\nrecursively read-only, if it is supported by the container runtime.  If this\nfield is set to Enabled, the mount is made recursively read-only if it is\nsupported by the container runtime, otherwise the pod will not be started and\nan error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to\nNone (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted.\nDefaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted.\nBehaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.\nDefaults to \"\" (volume's root).\nSubPathExpr and SubPath are mutually exclusive.","type":"string"}}}}}},"tolerations":{"description":"tolerations defines the Pods' tolerations if specified.","type":"array","items":{"description":"The pod this Toleration is attached to tolerates any taint that matches\nthe triple <key,value,effect> using the matching operator <operator>.","type":"object","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.","type":"string"},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.","type":"string"},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.","type":"integer","format":"int64"},"value":{"description":"Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.","type":"string"}}}},"topologySpreadConstraints":{"description":"topologySpreadConstraints defines the pod's topology spread constraints if specified.","type":"array","items":{"type":"object","required":["maxSkew","topologyKey","whenUnsatisfiable"],"properties":{"additionalLabelSelectors":{"description":"additionalLabelSelectors Defines what Prometheus Operator managed labels should be added to labelSelector on the topologySpreadConstraint.","type":"string","enum":["OnResource","OnShard"]},"labelSelector":{"description":"LabelSelector is used to find matching pods.\nPods that match this label selector are counted to determine the number of pods\nin their corresponding topology domain.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select the pods over which\nspreading will be calculated. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are ANDed with labelSelector\nto select the group of existing pods over which spreading will be calculated\nfor the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.\nMatchLabelKeys cannot be set when LabelSelector isn't set.\nKeys that don't exist in the incoming pod labels will\nbe ignored. A null or empty list means only match against labelSelector.\n\nThis is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"maxSkew":{"description":"MaxSkew describes the degree to which pods may be unevenly distributed.\nWhen `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference\nbetween the number of matching pods in the target topology and the global minimum.\nThe global minimum is the minimum number of matching pods in an eligible domain\nor zero if the number of eligible domains is less than MinDomains.\nFor example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same\nlabelSelector spread as 2/2/1:\nIn this case, the global minimum is 1.\n| zone1 | zone2 | zone3 |\n|  P P  |  P P  |   P   |\n- if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;\nscheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)\nviolate MaxSkew(1).\n- if MaxSkew is 2, incoming pod can be scheduled onto any zone.\nWhen `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence\nto topologies that satisfy it.\nIt's a required field. Default value is 1 and 0 is not allowed.","type":"integer","format":"int32"},"minDomains":{"description":"MinDomains indicates a minimum number of eligible domains.\nWhen the number of eligible domains with matching topology keys is less than minDomains,\nPod Topology Spread treats \"global minimum\" as 0, and then the calculation of Skew is performed.\nAnd when the number of eligible domains with matching topology keys equals or greater than minDomains,\nthis value has no effect on scheduling.\nAs a result, when the number of eligible domains is less than minDomains,\nscheduler won't schedule more than maxSkew Pods to those domains.\nIf value is nil, the constraint behaves as if MinDomains is equal to 1.\nValid values are integers greater than 0.\nWhen value is not nil, WhenUnsatisfiable must be DoNotSchedule.\n\nFor example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same\nlabelSelector spread as 2/2/2:\n| zone1 | zone2 | zone3 |\n|  P P  |  P P  |  P P  |\nThe number of domains is less than 5(MinDomains), so \"global minimum\" is treated as 0.\nIn this situation, new pod with the same labelSelector cannot be scheduled,\nbecause computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,\nit will violate MaxSkew.","type":"integer","format":"int32"},"nodeAffinityPolicy":{"description":"NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector\nwhen calculating pod topology spread skew. Options are:\n- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.\n- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.\n\nIf this value is nil, the behavior is equivalent to the Honor policy.","type":"string"},"nodeTaintsPolicy":{"description":"NodeTaintsPolicy indicates how we will treat node taints when calculating\npod topology spread skew. Options are:\n- Honor: nodes without taints, along with tainted nodes for which the incoming pod\nhas a toleration, are included.\n- Ignore: node taints are ignored. All nodes are included.\n\nIf this value is nil, the behavior is equivalent to the Ignore policy.","type":"string"},"topologyKey":{"description":"TopologyKey is the key of node labels. Nodes that have a label with this key\nand identical values are considered to be in the same topology.\nWe consider each <key, value> as a \"bucket\", and try to put balanced number\nof pods into each bucket.\nWe define a domain as a particular instance of a topology.\nAlso, we define an eligible domain as a domain whose nodes meet the requirements of\nnodeAffinityPolicy and nodeTaintsPolicy.\ne.g. If TopologyKey is \"kubernetes.io/hostname\", each Node is a domain of that topology.\nAnd, if TopologyKey is \"topology.kubernetes.io/zone\", each zone is a domain of that topology.\nIt's a required field.","type":"string"},"whenUnsatisfiable":{"description":"WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy\nthe spread constraint.\n- DoNotSchedule (default) tells the scheduler not to schedule it.\n- ScheduleAnyway tells the scheduler to schedule the pod in any location,\n  but giving higher precedence to topologies that would help reduce the\n  skew.\nA constraint is considered \"Unsatisfiable\" for an incoming pod\nif and only if every possible node assignment for that pod would violate\n\"MaxSkew\" on some topology.\nFor example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same\nlabelSelector spread as 3/1/1:\n| zone1 | zone2 | zone3 |\n| P P P |   P   |   P   |\nIf WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled\nto zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies\nMaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler\nwon't make it *more* imbalanced.\nIt's a required field.","type":"string"}}}},"tracingConfig":{"description":"tracingConfig defines tracing in Prometheus.\n\nThis is an *experimental feature*, it may change in any upcoming release\nin a breaking way.","type":"object","required":["endpoint"],"properties":{"clientType":{"description":"clientType defines the client used to export the traces. Supported values are `HTTP` and `GRPC`.","type":"string","enum":["http","grpc","HTTP","GRPC"]},"compression":{"description":"compression key for supported compression types. The only supported value is `Gzip`.","type":"string","enum":["gzip","Gzip"]},"endpoint":{"description":"endpoint to send the traces to. Should be provided in format <host>:<port>.","type":"string","minLength":1},"headers":{"description":"headers defines the key-value pairs to be used as headers associated with gRPC or HTTP requests.","type":"object","additionalProperties":{"type":"string"}},"insecure":{"description":"insecure if disabled, the client will use a secure connection.","type":"boolean"},"samplingFraction":{"description":"samplingFraction defines the probability a given trace will be sampled. Must be a float from 0 through 1.","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"timeout":{"description":"timeout defines the maximum time the exporter will wait for each batch export.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"tlsConfig":{"description":"tlsConfig to use when sending traces.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"caFile":{"description":"caFile defines the path to the CA cert in the Prometheus container to use for the targets.","type":"string"},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the client cert file in the Prometheus container for the targets.","type":"string"},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keyFile":{"description":"keyFile defines the path to the client key file in the Prometheus container for the targets.","type":"string"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"tsdb":{"description":"tsdb defines the runtime reloadable configuration of the timeseries database(TSDB).\nIt requires Prometheus >= v2.39.0 or PrometheusAgent >= v2.54.0.","type":"object","properties":{"outOfOrderTimeWindow":{"description":"outOfOrderTimeWindow defines how old an out-of-order/out-of-bounds sample can be with\nrespect to the TSDB max time.\n\nAn out-of-order/out-of-bounds sample is ingested into the TSDB as long as\nthe timestamp of the sample is >= (TSDB.MaxTime - outOfOrderTimeWindow).\n\nThis is an *experimental feature*, it may change in any upcoming release\nin a breaking way.\n\nIt requires Prometheus >= v2.39.0 or PrometheusAgent >= v2.54.0.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"}}},"updateStrategy":{"description":"updateStrategy indicates the strategy that will be employed to update\nPods in the StatefulSet when a revision is made to statefulset's Pod\nTemplate.\n\nThe default strategy is RollingUpdate.","type":"object","required":["type"],"properties":{"rollingUpdate":{"description":"rollingUpdate is used to communicate parameters when type is RollingUpdate.","type":"object","properties":{"maxUnavailable":{"description":"maxUnavailable is the maximum number of pods that can be unavailable\nduring the update. The value can be an absolute number (ex: 5) or a\npercentage of desired pods (ex: 10%). Absolute number is calculated from\npercentage by rounding up. This can not be 0.  Defaults to 1. This field\nis alpha-level and is only honored by servers that enable the\nMaxUnavailableStatefulSet feature. The field applies to all pods in the\nrange 0 to Replicas-1.  That means if there is any unavailable pod in\nthe range 0 to Replicas-1, it will be counted towards MaxUnavailable.","x-kubernetes-int-or-string":true}}},"type":{"description":"type indicates the type of the StatefulSetUpdateStrategy.\n\nDefault is RollingUpdate.","type":"string","enum":["OnDelete","RollingUpdate"]}},"x-kubernetes-validations":[{"message":"rollingUpdate requires type to be RollingUpdate","rule":"!(self.type != 'RollingUpdate' && has(self.rollingUpdate))"}]},"version":{"description":"version of Prometheus being deployed. The operator uses this information\nto generate the Prometheus StatefulSet + configuration files.\n\nIf not specified, the operator assumes the latest upstream version of\nPrometheus available at the time when the version of the operator was\nreleased.","type":"string"},"volumeMounts":{"description":"volumeMounts allows the configuration of additional VolumeMounts.\n\nVolumeMounts will be appended to other VolumeMounts in the 'prometheus'\ncontainer, that are generated as a result of StorageSpec objects.","type":"array","items":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["mountPath","name"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted.  Must\nnot contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host\nto container and the other way around.\nWhen not set, MountPropagationNone is used.\nThis field is beta in 1.10.\nWhen RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified\n(which defaults to None).","type":"string"},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified).\nDefaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled\nrecursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made\nrecursively read-only.  If this field is set to IfPossible, the mount is made\nrecursively read-only, if it is supported by the container runtime.  If this\nfield is set to Enabled, the mount is made recursively read-only if it is\nsupported by the container runtime, otherwise the pod will not be started and\nan error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to\nNone (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted.\nDefaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted.\nBehaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.\nDefaults to \"\" (volume's root).\nSubPathExpr and SubPath are mutually exclusive.","type":"string"}}}},"volumes":{"description":"volumes allows the configuration of additional volumes on the output\nStatefulSet definition. Volumes specified will be appended to other\nvolumes that are generated as a result of StorageSpec objects.","type":"array","items":{"description":"Volume represents a named volume in a pod that may be accessed by any container in the pod.","type":"object","required":["name"],"properties":{"awsElasticBlockStore":{"description":"awsElasticBlockStore represents an AWS Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nDeprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree\nawsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"string"},"partition":{"description":"partition is the partition in the volume that you want to mount.\nIf omitted, the default is to mount by volume name.\nExamples: For volume /dev/sda1, you specify the partition as \"1\".\nSimilarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).","type":"integer","format":"int32"},"readOnly":{"description":"readOnly value true will force the readOnly setting in VolumeMounts.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"boolean"},"volumeID":{"description":"volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"string"}}},"azureDisk":{"description":"azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.\nDeprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type\nare redirected to the disk.csi.azure.com CSI driver.","type":"object","required":["diskName","diskURI"],"properties":{"cachingMode":{"description":"cachingMode is the Host Caching mode: None, Read Only, Read Write.","type":"string"},"diskName":{"description":"diskName is the Name of the data disk in the blob storage","type":"string"},"diskURI":{"description":"diskURI is the URI of data disk in the blob storage","type":"string"},"fsType":{"description":"fsType is Filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"kind":{"description":"kind expected values are Shared: multiple blob disks per storage account  Dedicated: single blob disk per storage account  Managed: azure managed data disk (only in managed availability set). defaults to shared","type":"string"},"readOnly":{"description":"readOnly Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"}}},"azureFile":{"description":"azureFile represents an Azure File Service mount on the host and bind mount to the pod.\nDeprecated: AzureFile is deprecated. All operations for the in-tree azureFile type\nare redirected to the file.csi.azure.com CSI driver.","type":"object","required":["secretName","shareName"],"properties":{"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretName":{"description":"secretName is the  name of secret that contains Azure Storage Account Name and Key","type":"string"},"shareName":{"description":"shareName is the azure share Name","type":"string"}}},"cephfs":{"description":"cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.\nDeprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.","type":"object","required":["monitors"],"properties":{"monitors":{"description":"monitors is Required: Monitors is a collection of Ceph monitors\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"path":{"description":"path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /","type":"string"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"boolean"},"secretFile":{"description":"secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"},"secretRef":{"description":"secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"description":"user is optional: User is the rados user name, default is admin\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"}}},"cinder":{"description":"cinder represents a cinder volume attached and mounted on kubelets host machine.\nDeprecated: Cinder is deprecated. All operations for the in-tree cinder type\nare redirected to the cinder.csi.openstack.org CSI driver.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"boolean"},"secretRef":{"description":"secretRef is optional: points to a secret object containing parameters used to connect\nto OpenStack.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeID":{"description":"volumeID used to identify the volume in cinder.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"}}},"configMap":{"description":"configMap represents a configMap that should populate this volume","type":"object","properties":{"defaultMode":{"description":"defaultMode is optional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDefaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced\nConfigMap will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the ConfigMap,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional specify whether the ConfigMap or its keys must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"csi":{"description":"csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.","type":"object","required":["driver"],"properties":{"driver":{"description":"driver is the name of the CSI driver that handles this volume.\nConsult with your admin for the correct name as registered in the cluster.","type":"string"},"fsType":{"description":"fsType to mount. Ex. \"ext4\", \"xfs\", \"ntfs\".\nIf not provided, the empty value is passed to the associated CSI driver\nwhich will determine the default filesystem to apply.","type":"string"},"nodePublishSecretRef":{"description":"nodePublishSecretRef is a reference to the secret object containing\nsensitive information to pass to the CSI driver to complete the CSI\nNodePublishVolume and NodeUnpublishVolume calls.\nThis field is optional, and  may be empty if no secret is required. If the\nsecret object contains more than one secret, all secret references are passed.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"readOnly":{"description":"readOnly specifies a read-only configuration for the volume.\nDefaults to false (read/write).","type":"boolean"},"volumeAttributes":{"description":"volumeAttributes stores driver-specific properties that are passed to the CSI\ndriver. Consult your driver's documentation for supported values.","type":"object","additionalProperties":{"type":"string"}}}},"downwardAPI":{"description":"downwardAPI represents downward API about the pod that should populate this volume","type":"object","properties":{"defaultMode":{"description":"Optional: mode bits to use on created files by default. Must be a\nOptional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDefaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"Items is a list of downward API volume file","type":"array","items":{"description":"DownwardAPIVolumeFile represents information to create the file containing the pod field","type":"object","required":["path"],"properties":{"fieldRef":{"description":"Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"description":"Optional: mode bits used to set permissions on this file, must be an octal value\nbetween 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'","type":"string"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"emptyDir":{"description":"emptyDir represents a temporary directory that shares a pod's lifetime.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","type":"object","properties":{"medium":{"description":"medium represents what type of storage medium should back this directory.\nThe default is \"\" which means to use the node's default medium.\nMust be an empty string (default) or Memory.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","type":"string"},"sizeLimit":{"description":"sizeLimit is the total amount of local storage required for this EmptyDir volume.\nThe size limit is also applicable for memory medium.\nThe maximum usage on memory medium EmptyDir would be the minimum value between\nthe SizeLimit specified here and the sum of memory limits of all containers in a pod.\nThe default is nil which means that the limit is undefined.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"ephemeral":{"description":"ephemeral represents a volume that is handled by a cluster storage driver.\nThe volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,\nand deleted when the pod is removed.\n\nUse this if:\na) the volume is only needed while the pod runs,\nb) features of normal volumes like restoring from snapshot or capacity\n   tracking are needed,\nc) the storage driver is specified through a storage class, and\nd) the storage driver supports dynamic volume provisioning through\n   a PersistentVolumeClaim (see EphemeralVolumeSource for more\n   information on the connection between this volume type\n   and PersistentVolumeClaim).\n\nUse PersistentVolumeClaim or one of the vendor-specific\nAPIs for volumes that persist for longer than the lifecycle\nof an individual pod.\n\nUse CSI for light-weight local ephemeral volumes if the CSI driver is meant to\nbe used that way - see the documentation of the driver for\nmore information.\n\nA pod can use both types of ephemeral volumes and\npersistent volumes at the same time.","type":"object","properties":{"volumeClaimTemplate":{"description":"Will be used to create a stand-alone PVC to provision the volume.\nThe pod in which this EphemeralVolumeSource is embedded will be the\nowner of the PVC, i.e. the PVC will be deleted together with the\npod.  The name of the PVC will be `<pod name>-<volume name>` where\n`<volume name>` is the name from the `PodSpec.Volumes` array\nentry. Pod validation will reject the pod if the concatenated name\nis not valid for a PVC (for example, too long).\n\nAn existing PVC with that name that is not owned by the pod\nwill *not* be used for the pod to avoid using an unrelated\nvolume by mistake. Starting the pod is then blocked until\nthe unrelated PVC is removed. If such a pre-created PVC is\nmeant to be used by the pod, the PVC has to updated with an\nowner reference to the pod once the pod exists. Normally\nthis should not be necessary, but it may be useful when\nmanually reconstructing a broken cluster.\n\nThis field is read-only and no changes will be made by Kubernetes\nto the PVC after it has been created.\n\nRequired, must not be nil.","type":"object","required":["spec"],"properties":{"metadata":{"description":"May contain labels and annotations that will be copied into the PVC\nwhen creating it. No other fields are allowed and will be rejected during\nvalidation.","type":"object"},"spec":{"description":"The specification for the PersistentVolumeClaim. The entire content is\ncopied unchanged into the PVC that gets created from this\ntemplate. The same fields as in a PersistentVolumeClaim\nare also valid here.","type":"object","properties":{"accessModes":{"description":"accessModes contains the desired access modes the volume should have.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"description":"dataSource field can be used to specify either:\n* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)\n* An existing PVC (PersistentVolumeClaim)\nIf the provisioner or an external controller can support the specified data source,\nit will create a new volume based on the contents of the specified data source.\nWhen the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,\nand dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.\nIf the namespace is specified, then dataSourceRef will not be copied to dataSource.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"description":"dataSourceRef specifies the object from which to populate the volume with data, if a non-empty\nvolume is desired. This may be any object from a non-empty API group (non\ncore object) or a PersistentVolumeClaim object.\nWhen this field is specified, volume binding will only succeed if the type of\nthe specified object matches some installed volume populator or dynamic\nprovisioner.\nThis field will replace the functionality of the dataSource field and as such\nif both fields are non-empty, they must have the same value. For backwards\ncompatibility, when namespace isn't specified in dataSourceRef,\nboth fields (dataSource and dataSourceRef) will be set to the same\nvalue automatically if one of them is empty and the other is non-empty.\nWhen namespace is specified in dataSourceRef,\ndataSource isn't set to the same value and must be empty.\nThere are three important differences between dataSource and dataSourceRef:\n* While dataSource only allows two specific types of objects, dataSourceRef\n  allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n  preserves all values, and generates an error if a disallowed value is\n  specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n  in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.\n(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"},"namespace":{"description":"Namespace is the namespace of resource being referenced\nNote that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.\n(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"string"}}},"resources":{"description":"resources represents the minimum resources the volume should have.\nIf RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements\nthat are lower than previous value but must still be higher than capacity recorded in the\nstatus field of the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources","type":"object","properties":{"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"description":"selector is a label query over volumes to consider for binding.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"description":"storageClassName is the name of the StorageClass required by the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1","type":"string"},"volumeAttributesClassName":{"description":"volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string or nil value indicates that no\nVolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,\nthis field can be reset to its previous value (including nil) to cancel the modification.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/","type":"string"},"volumeMode":{"description":"volumeMode defines what type of volume is required by the claim.\nValue of Filesystem is implied when not included in claim spec.","type":"string"},"volumeName":{"description":"volumeName is the binding reference to the PersistentVolume backing this claim.","type":"string"}}}}}}},"fc":{"description":"fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.","type":"object","properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"lun":{"description":"lun is Optional: FC target lun number","type":"integer","format":"int32"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"targetWWNs":{"description":"targetWWNs is Optional: FC target worldwide names (WWNs)","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"wwids":{"description":"wwids Optional: FC volume world wide identifiers (wwids)\nEither wwids or combination of targetWWNs and lun must be set, but not both simultaneously.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"flexVolume":{"description":"flexVolume represents a generic volume resource that is\nprovisioned/attached using an exec based plugin.\nDeprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.","type":"object","required":["driver"],"properties":{"driver":{"description":"driver is the name of the driver to use for this volume.","type":"string"},"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script.","type":"string"},"options":{"description":"options is Optional: this field holds extra command options if any.","type":"object","additionalProperties":{"type":"string"}},"readOnly":{"description":"readOnly is Optional: defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef is Optional: secretRef is reference to the secret object containing\nsensitive information to pass to the plugin scripts. This may be\nempty if no secret object is specified. If the secret object\ncontains more than one secret, all secrets are passed to the plugin\nscripts.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}}},"flocker":{"description":"flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.\nDeprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.","type":"object","properties":{"datasetName":{"description":"datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker\nshould be considered as deprecated","type":"string"},"datasetUUID":{"description":"datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset","type":"string"}}},"gcePersistentDisk":{"description":"gcePersistentDisk represents a GCE Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nDeprecated: GCEPersistentDisk is deprecated. All operations for the in-tree\ngcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"object","required":["pdName"],"properties":{"fsType":{"description":"fsType is filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"string"},"partition":{"description":"partition is the partition in the volume that you want to mount.\nIf omitted, the default is to mount by volume name.\nExamples: For volume /dev/sda1, you specify the partition as \"1\".\nSimilarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"integer","format":"int32"},"pdName":{"description":"pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"boolean"}}},"gitRepo":{"description":"gitRepo represents a git repository at a particular revision.\nDeprecated: GitRepo is deprecated. To provision a container with a git repo, mount an\nEmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir\ninto the Pod's container.","type":"object","required":["repository"],"properties":{"directory":{"description":"directory is the target directory name.\nMust not contain or start with '..'.  If '.' is supplied, the volume directory will be the\ngit repository.  Otherwise, if specified, the volume will contain the git repository in\nthe subdirectory with the given name.","type":"string"},"repository":{"description":"repository is the URL","type":"string"},"revision":{"description":"revision is the commit hash for the specified revision.","type":"string"}}},"glusterfs":{"description":"glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.\nDeprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.","type":"object","required":["endpoints","path"],"properties":{"endpoints":{"description":"endpoints is the endpoint name that details Glusterfs topology.","type":"string"},"path":{"description":"path is the Glusterfs volume path.\nMore info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"string"},"readOnly":{"description":"readOnly here will force the Glusterfs volume to be mounted with read-only permissions.\nDefaults to false.\nMore info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"boolean"}}},"hostPath":{"description":"hostPath represents a pre-existing file or directory on the host\nmachine that is directly exposed to the container. This is generally\nused for system agents or other privileged things that are allowed\nto see the host machine. Most containers will NOT need this.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"object","required":["path"],"properties":{"path":{"description":"path of the directory on the host.\nIf the path is a symlink, it will follow the link to the real path.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"string"},"type":{"description":"type for HostPath Volume\nDefaults to \"\"\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"string"}}},"image":{"description":"image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.\nThe volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.\n- Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.\n- IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.\nA failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.\nThe types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.\nThe OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.\nThe volume will be mounted read-only (ro) and non-executable files (noexec).\nSub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.\nThe field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.","type":"object","properties":{"pullPolicy":{"description":"Policy for pulling OCI objects. Possible values are:\nAlways: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.\nNever: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.\nIfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\nDefaults to Always if :latest tag is specified, or IfNotPresent otherwise.","type":"string"},"reference":{"description":"Required: Image or artifact reference to be used.\nBehaves in the same way as pod.spec.containers[*].image.\nPull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.\nMore info: https://kubernetes.io/docs/concepts/containers/images\nThis field is optional to allow higher level config management to default or override\ncontainer images in workload controllers like Deployments and StatefulSets.","type":"string"}}},"iscsi":{"description":"iscsi represents an ISCSI Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi","type":"object","required":["iqn","lun","targetPortal"],"properties":{"chapAuthDiscovery":{"description":"chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication","type":"boolean"},"chapAuthSession":{"description":"chapAuthSession defines whether support iSCSI Session CHAP authentication","type":"boolean"},"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi","type":"string"},"initiatorName":{"description":"initiatorName is the custom iSCSI Initiator Name.\nIf initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface\n<target portal>:<volume name> will be created for the connection.","type":"string"},"iqn":{"description":"iqn is the target iSCSI Qualified Name.","type":"string"},"iscsiInterface":{"description":"iscsiInterface is the interface Name that uses an iSCSI transport.\nDefaults to 'default' (tcp).","type":"string"},"lun":{"description":"lun represents iSCSI Target Lun number.","type":"integer","format":"int32"},"portals":{"description":"portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port\nis other than default (typically TCP ports 860 and 3260).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false.","type":"boolean"},"secretRef":{"description":"secretRef is the CHAP Secret for iSCSI target and initiator authentication","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"targetPortal":{"description":"targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port\nis other than default (typically TCP ports 860 and 3260).","type":"string"}}},"name":{"description":"name of the volume.\nMust be a DNS_LABEL and unique within the pod.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"nfs":{"description":"nfs represents an NFS mount on the host that shares a pod's lifetime\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"object","required":["path","server"],"properties":{"path":{"description":"path that is exported by the NFS server.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"string"},"readOnly":{"description":"readOnly here will force the NFS export to be mounted with read-only permissions.\nDefaults to false.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"boolean"},"server":{"description":"server is the hostname or IP address of the NFS server.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"string"}}},"persistentVolumeClaim":{"description":"persistentVolumeClaimVolumeSource represents a reference to a\nPersistentVolumeClaim in the same namespace.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"object","required":["claimName"],"properties":{"claimName":{"description":"claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"string"},"readOnly":{"description":"readOnly Will force the ReadOnly setting in VolumeMounts.\nDefault false.","type":"boolean"}}},"photonPersistentDisk":{"description":"photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.\nDeprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.","type":"object","required":["pdID"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"pdID":{"description":"pdID is the ID that identifies Photon Controller persistent disk","type":"string"}}},"portworxVolume":{"description":"portworxVolume represents a portworx volume attached and mounted on kubelets host machine.\nDeprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type\nare redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate\nis on.","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fSType represents the filesystem type to mount\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"volumeID":{"description":"volumeID uniquely identifies a Portworx volume","type":"string"}}},"projected":{"description":"projected items for all in one resources secrets, configmaps, and downward API","type":"object","properties":{"defaultMode":{"description":"defaultMode are the mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"sources":{"description":"sources is the list of volume projections. Each entry in this list\nhandles one source.","type":"array","items":{"description":"Projection that may be projected along with other supported volume types.\nExactly one of these fields must be set.","type":"object","properties":{"clusterTrustBundle":{"description":"ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field\nof ClusterTrustBundle objects in an auto-updating file.\n\nAlpha, gated by the ClusterTrustBundleProjection feature gate.\n\nClusterTrustBundle objects can either be selected by name, or by the\ncombination of signer name and a label selector.\n\nKubelet performs aggressive normalization of the PEM contents written\ninto the pod filesystem.  Esoteric PEM features such as inter-block\ncomments and block headers are stripped.  Certificates are deduplicated.\nThe ordering of certificates within the file is arbitrary, and Kubelet\nmay change the order over time.","type":"object","required":["path"],"properties":{"labelSelector":{"description":"Select all ClusterTrustBundles that match this label selector.  Only has\neffect if signerName is set.  Mutually-exclusive with name.  If unset,\ninterpreted as \"match nothing\".  If set but empty, interpreted as \"match\neverything\".","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"name":{"description":"Select a single ClusterTrustBundle by object name.  Mutually-exclusive\nwith signerName and labelSelector.","type":"string"},"optional":{"description":"If true, don't block pod startup if the referenced ClusterTrustBundle(s)\naren't available.  If using name, then the named ClusterTrustBundle is\nallowed not to exist.  If using signerName, then the combination of\nsignerName and labelSelector is allowed to match zero\nClusterTrustBundles.","type":"boolean"},"path":{"description":"Relative path from the volume root to write the bundle.","type":"string"},"signerName":{"description":"Select all ClusterTrustBundles that match this signer name.\nMutually-exclusive with name.  The contents of all selected\nClusterTrustBundles will be unified and deduplicated.","type":"string"}}},"configMap":{"description":"configMap information about the configMap data to project","type":"object","properties":{"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced\nConfigMap will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the ConfigMap,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional specify whether the ConfigMap or its keys must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"downwardAPI":{"description":"downwardAPI information about the downwardAPI data to project","type":"object","properties":{"items":{"description":"Items is a list of DownwardAPIVolume file","type":"array","items":{"description":"DownwardAPIVolumeFile represents information to create the file containing the pod field","type":"object","required":["path"],"properties":{"fieldRef":{"description":"Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"description":"Optional: mode bits used to set permissions on this file, must be an octal value\nbetween 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'","type":"string"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"podCertificate":{"description":"Projects an auto-rotating credential bundle (private key and certificate\nchain) that the pod can use either as a TLS client or server.\n\nKubelet generates a private key and uses it to send a\nPodCertificateRequest to the named signer.  Once the signer approves the\nrequest and issues a certificate chain, Kubelet writes the key and\ncertificate chain to the pod filesystem.  The pod does not start until\ncertificates have been issued for each podCertificate projected volume\nsource in its spec.\n\nKubelet will begin trying to rotate the certificate at the time indicated\nby the signer using the PodCertificateRequest.Status.BeginRefreshAt\ntimestamp.\n\nKubelet can write a single file, indicated by the credentialBundlePath\nfield, or separate files, indicated by the keyPath and\ncertificateChainPath fields.\n\nThe credential bundle is a single file in PEM format.  The first PEM\nentry is the private key (in PKCS#8 format), and the remaining PEM\nentries are the certificate chain issued by the signer (typically,\nsigners will return their certificate chain in leaf-to-root order).\n\nPrefer using the credential bundle format, since your application code\ncan read it atomically.  If you use keyPath and certificateChainPath,\nyour application must make two separate file reads. If these coincide\nwith a certificate rotation, it is possible that the private key and leaf\ncertificate you read may not correspond to each other.  Your application\nwill need to check for this condition, and re-read until they are\nconsistent.\n\nThe named signer controls chooses the format of the certificate it\nissues; consult the signer implementation's documentation to learn how to\nuse the certificates it issues.","type":"object","required":["keyType","signerName"],"properties":{"certificateChainPath":{"description":"Write the certificate chain at this path in the projected volume.\n\nMost applications should use credentialBundlePath.  When using keyPath\nand certificateChainPath, your application needs to check that the key\nand leaf certificate are consistent, because it is possible to read the\nfiles mid-rotation.","type":"string"},"credentialBundlePath":{"description":"Write the credential bundle at this path in the projected volume.\n\nThe credential bundle is a single file that contains multiple PEM blocks.\nThe first PEM block is a PRIVATE KEY block, containing a PKCS#8 private\nkey.\n\nThe remaining blocks are CERTIFICATE blocks, containing the issued\ncertificate chain from the signer (leaf and any intermediates).\n\nUsing credentialBundlePath lets your Pod's application code make a single\natomic read that retrieves a consistent key and certificate chain.  If you\nproject them to separate files, your application code will need to\nadditionally check that the leaf certificate was issued to the key.","type":"string"},"keyPath":{"description":"Write the key at this path in the projected volume.\n\nMost applications should use credentialBundlePath.  When using keyPath\nand certificateChainPath, your application needs to check that the key\nand leaf certificate are consistent, because it is possible to read the\nfiles mid-rotation.","type":"string"},"keyType":{"description":"The type of keypair Kubelet will generate for the pod.\n\nValid values are \"RSA3072\", \"RSA4096\", \"ECDSAP256\", \"ECDSAP384\",\n\"ECDSAP521\", and \"ED25519\".","type":"string"},"maxExpirationSeconds":{"description":"maxExpirationSeconds is the maximum lifetime permitted for the\ncertificate.\n\nKubelet copies this value verbatim into the PodCertificateRequests it\ngenerates for this projection.\n\nIf omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver\nwill reject values shorter than 3600 (1 hour).  The maximum allowable\nvalue is 7862400 (91 days).\n\nThe signer implementation is then free to issue a certificate with any\nlifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600\nseconds (1 hour).  This constraint is enforced by kube-apiserver.\n`kubernetes.io` signers will never issue certificates with a lifetime\nlonger than 24 hours.","type":"integer","format":"int32"},"signerName":{"description":"Kubelet's generated CSRs will be addressed to this signer.","type":"string"}}},"secret":{"description":"secret information about the secret data to project","type":"object","properties":{"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced\nSecret will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the Secret,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional field specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"serviceAccountToken":{"description":"serviceAccountToken is information about the serviceAccountToken data to project","type":"object","required":["path"],"properties":{"audience":{"description":"audience is the intended audience of the token. A recipient of a token\nmust identify itself with an identifier specified in the audience of the\ntoken, and otherwise should reject the token. The audience defaults to the\nidentifier of the apiserver.","type":"string"},"expirationSeconds":{"description":"expirationSeconds is the requested duration of validity of the service\naccount token. As the token approaches expiration, the kubelet volume\nplugin will proactively rotate the service account token. The kubelet will\nstart trying to rotate the token if the token is older than 80 percent of\nits time to live or if the token is older than 24 hours.Defaults to 1 hour\nand must be at least 10 minutes.","type":"integer","format":"int64"},"path":{"description":"path is the path relative to the mount point of the file to project the\ntoken into.","type":"string"}}}}},"x-kubernetes-list-type":"atomic"}}},"quobyte":{"description":"quobyte represents a Quobyte mount on the host that shares a pod's lifetime.\nDeprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.","type":"object","required":["registry","volume"],"properties":{"group":{"description":"group to map volume access to\nDefault is no group","type":"string"},"readOnly":{"description":"readOnly here will force the Quobyte volume to be mounted with read-only permissions.\nDefaults to false.","type":"boolean"},"registry":{"description":"registry represents a single or multiple Quobyte Registry services\nspecified as a string as host:port pair (multiple entries are separated with commas)\nwhich acts as the central registry for volumes","type":"string"},"tenant":{"description":"tenant owning the given Quobyte volume in the Backend\nUsed with dynamically provisioned Quobyte volumes, value is set by the plugin","type":"string"},"user":{"description":"user to map volume access to\nDefaults to serivceaccount user","type":"string"},"volume":{"description":"volume is a string that references an already created Quobyte volume by name.","type":"string"}}},"rbd":{"description":"rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.\nDeprecated: RBD is deprecated and the in-tree rbd type is no longer supported.","type":"object","required":["image","monitors"],"properties":{"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#rbd","type":"string"},"image":{"description":"image is the rados image name.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"keyring":{"description":"keyring is the path to key ring for RBDUser.\nDefault is /etc/ceph/keyring.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"monitors":{"description":"monitors is a collection of Ceph monitors.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"pool":{"description":"pool is the rados pool name.\nDefault is rbd.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"boolean"},"secretRef":{"description":"secretRef is name of the authentication secret for RBDUser. If provided\noverrides keyring.\nDefault is nil.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"description":"user is the rados user name.\nDefault is admin.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"}}},"scaleIO":{"description":"scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.\nDeprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.","type":"object","required":["gateway","secretRef","system"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\".\nDefault is \"xfs\".","type":"string"},"gateway":{"description":"gateway is the host address of the ScaleIO API Gateway.","type":"string"},"protectionDomain":{"description":"protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.","type":"string"},"readOnly":{"description":"readOnly Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef references to the secret for ScaleIO user and other\nsensitive information. If this is not provided, Login operation will fail.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"sslEnabled":{"description":"sslEnabled Flag enable/disable SSL communication with Gateway, default false","type":"boolean"},"storageMode":{"description":"storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.\nDefault is ThinProvisioned.","type":"string"},"storagePool":{"description":"storagePool is the ScaleIO Storage Pool associated with the protection domain.","type":"string"},"system":{"description":"system is the name of the storage system as configured in ScaleIO.","type":"string"},"volumeName":{"description":"volumeName is the name of a volume already created in the ScaleIO system\nthat is associated with this volume source.","type":"string"}}},"secret":{"description":"secret represents a secret that should populate this volume.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#secret","type":"object","properties":{"defaultMode":{"description":"defaultMode is Optional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values\nfor mode bits. Defaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"items If unspecified, each key-value pair in the Data field of the referenced\nSecret will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the Secret,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"optional":{"description":"optional field specify whether the Secret or its keys must be defined","type":"boolean"},"secretName":{"description":"secretName is the name of the secret in the pod's namespace to use.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#secret","type":"string"}}},"storageos":{"description":"storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.\nDeprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.","type":"object","properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef specifies the secret to use for obtaining the StorageOS API\ncredentials.  If not specified, default values will be attempted.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeName":{"description":"volumeName is the human-readable name of the StorageOS volume.  Volume\nnames are only unique within a namespace.","type":"string"},"volumeNamespace":{"description":"volumeNamespace specifies the scope of the volume within StorageOS.  If no\nnamespace is specified then the Pod's namespace will be used.  This allows the\nKubernetes name scoping to be mirrored within StorageOS for tighter integration.\nSet VolumeName to any name to override the default behaviour.\nSet to \"default\" if you are not using namespaces within StorageOS.\nNamespaces that do not pre-exist within StorageOS will be created.","type":"string"}}},"vsphereVolume":{"description":"vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.\nDeprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type\nare redirected to the csi.vsphere.vmware.com CSI driver.","type":"object","required":["volumePath"],"properties":{"fsType":{"description":"fsType is filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"storagePolicyID":{"description":"storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.","type":"string"},"storagePolicyName":{"description":"storagePolicyName is the storage Policy Based Management (SPBM) profile name.","type":"string"},"volumePath":{"description":"volumePath is the path that identifies vSphere volume vmdk","type":"string"}}}}}},"walCompression":{"description":"walCompression defines the compression of the write-ahead log (WAL) using Snappy.\n\nWAL compression is enabled by default for Prometheus >= 2.20.0\n\nRequires Prometheus v2.11.0 and above.","type":"boolean"},"web":{"description":"web defines the configuration of the Prometheus web server.","type":"object","properties":{"httpConfig":{"description":"httpConfig defines HTTP parameters for web server.","type":"object","properties":{"headers":{"description":"headers defines a list of headers that can be added to HTTP responses.","type":"object","properties":{"contentSecurityPolicy":{"description":"contentSecurityPolicy defines the Content-Security-Policy header to HTTP responses.\nUnset if blank.","type":"string"},"strictTransportSecurity":{"description":"strictTransportSecurity defines the Strict-Transport-Security header to HTTP responses.\nUnset if blank.\nPlease make sure that you use this with care as this header might force\nbrowsers to load Prometheus and the other applications hosted on the same\ndomain and subdomains over HTTPS.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security","type":"string"},"xContentTypeOptions":{"description":"xContentTypeOptions defines the X-Content-Type-Options header to HTTP responses.\nUnset if blank. Accepted value is nosniff.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options","type":"string","enum":["","NoSniff"]},"xFrameOptions":{"description":"xFrameOptions defines the X-Frame-Options header to HTTP responses.\nUnset if blank. Accepted values are deny and sameorigin.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options","type":"string","enum":["","Deny","SameOrigin"]},"xXSSProtection":{"description":"xXSSProtection defines the X-XSS-Protection header to all responses.\nUnset if blank.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection","type":"string"}}},"http2":{"description":"http2 enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.\nWhen TLSConfig is not configured, HTTP/2 will be disabled.\nWhenever the value of the field changes, a rolling update will be triggered.","type":"boolean"}}},"maxConnections":{"description":"maxConnections defines the maximum number of simultaneous connections\nA zero value means that Prometheus doesn't accept any incoming connection.","type":"integer","format":"int32","minimum":0},"pageTitle":{"description":"pageTitle defines the prometheus web page title.","type":"string"},"tlsConfig":{"description":"tlsConfig defines the TLS parameters for HTTPS.","type":"object","properties":{"cert":{"description":"cert defines the Secret or ConfigMap containing the TLS certificate for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `certFile`.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the TLS certificate file in the container for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `cert`.","type":"string"},"cipherSuites":{"description":"cipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.\n\nIf not defined, the Go default cipher suites are used.\nAvailable cipher suites are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#pkg-constants","type":"array","items":{"type":"string"}},"clientAuthType":{"description":"clientAuthType defines the server policy for client TLS authentication.\n\nFor more detail on clientAuth options:\nhttps://golang.org/pkg/crypto/tls/#ClientAuthType","type":"string"},"clientCAFile":{"description":"clientCAFile defines the path to the CA certificate file for client certificate authentication to\nthe server.\n\nIt is mutually exclusive with `client_ca`.","type":"string"},"client_ca":{"description":"client_ca defines the Secret or ConfigMap containing the CA certificate for client certificate\nauthentication to the server.\n\nIt is mutually exclusive with `clientCAFile`.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"curvePreferences":{"description":"curvePreferences defines elliptic curves that will be used in an ECDHE handshake, in preference\norder.\n\nAvailable curves are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#CurveID","type":"array","items":{"type":"string"}},"keyFile":{"description":"keyFile defines the path to the TLS private key file in the container for the web server.\n\nIf defined, either `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keySecret`.","type":"string"},"keySecret":{"description":"keySecret defines the secret containing the TLS private key for the web server.\n\nEither `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keyFile`.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the Maximum TLS version that is acceptable.","type":"string"},"minVersion":{"description":"minVersion defines the minimum TLS version that is acceptable.","type":"string"},"preferServerCipherSuites":{"description":"preferServerCipherSuites defines whether the server selects the client's most preferred cipher\nsuite, or the server's most preferred cipher suite.\n\nIf true then the server's preference, as expressed in\nthe order of elements in cipherSuites, is used.","type":"boolean"}}}}}}},"status":{"description":"status defines the most recent observed status of the Prometheus cluster. Read-only.\nMore info:\nhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"availableReplicas":{"description":"availableReplicas defines the total number of available pods (ready for at least minReadySeconds)\ntargeted by this Prometheus deployment.","type":"integer","format":"int32"},"conditions":{"description":"conditions defines the current state of the Prometheus deployment.","type":"array","items":{"description":"Condition represents the state of the resources associated with the\nPrometheus, Alertmanager or ThanosRuler resource.","type":"object","required":["lastTransitionTime","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the time of the last update to the current status property.","type":"string","format":"date-time"},"message":{"description":"message defines human-readable message indicating details for the condition's last transition.","type":"string"},"observedGeneration":{"description":"observedGeneration defines the .metadata.generation that the\ncondition was set based upon. For instance, if `.metadata.generation` is\ncurrently 12, but the `.status.conditions[].observedGeneration` is 9, the\ncondition is out of date with respect to the current state of the\ninstance.","type":"integer","format":"int64"},"reason":{"description":"reason for the condition's last transition.","type":"string"},"status":{"description":"status of the condition.","type":"string","minLength":1},"type":{"description":"type of the condition being reported.","type":"string","minLength":1}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"paused":{"description":"paused defines whether any actions on the underlying managed objects are\nbeing performed. Only delete actions will be performed.","type":"boolean"},"replicas":{"description":"replicas defines the total number of non-terminated pods targeted by this Prometheus deployment\n(their labels match the selector).","type":"integer","format":"int32"},"selector":{"description":"selector used to match the pods targeted by this Prometheus resource.","type":"string"},"shardStatuses":{"description":"shardStatuses defines the list has one entry per shard. Each entry provides a summary of the shard status.","type":"array","items":{"type":"object","required":["availableReplicas","replicas","shardID","unavailableReplicas","updatedReplicas"],"properties":{"availableReplicas":{"description":"availableReplicas defines the total number of available pods (ready for at least minReadySeconds)\ntargeted by this shard.","type":"integer","format":"int32"},"replicas":{"description":"replicas defines the total number of pods targeted by this shard.","type":"integer","format":"int32"},"shardID":{"description":"shardID defines the identifier of the shard.","type":"string"},"unavailableReplicas":{"description":"unavailableReplicas defines the Total number of unavailable pods targeted by this shard.","type":"integer","format":"int32"},"updatedReplicas":{"description":"updatedReplicas defines the total number of non-terminated pods targeted by this shard\nthat have the desired spec.","type":"integer","format":"int32"}}},"x-kubernetes-list-map-keys":["shardID"],"x-kubernetes-list-type":"map"},"shards":{"description":"shards defines the most recently observed number of shards.","type":"integer","format":"int32"},"unavailableReplicas":{"description":"unavailableReplicas defines the total number of unavailable pods targeted by this Prometheus deployment.","type":"integer","format":"int32"},"updatedReplicas":{"description":"updatedReplicas defines the total number of non-terminated pods targeted by this Prometheus deployment\nthat have the desired version spec.","type":"integer","format":"int32"}}}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"Prometheus","version":"v1"}],"title":"com.coreos.monitoring.v1.Prometheus"},"com.coreos.monitoring.v1.PrometheusList":{"description":"PrometheusList is a list of Prometheus","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of prometheuses. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.coreos.monitoring.v1.Prometheus"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"PrometheusList","version":"v1"}],"title":"com.coreos.monitoring.v1.PrometheusList"},"com.coreos.monitoring.v1.PrometheusRule":{"description":"The `PrometheusRule` custom resource definition (CRD) defines [alerting](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) and [recording](https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/) rules to be evaluated by `Prometheus` or `ThanosRuler` objects.\n\n`Prometheus` and `ThanosRuler` objects select `PrometheusRule` objects using label and namespace selectors.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the specification of desired alerting rule definitions for Prometheus.","type":"object","properties":{"groups":{"description":"groups defines the content of Prometheus rule file","type":"array","items":{"description":"RuleGroup is a list of sequentially evaluated recording and alerting rules.","type":"object","required":["name"],"properties":{"interval":{"description":"interval defines how often rules in the group are evaluated.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"labels":{"description":"labels define the labels to add or overwrite before storing the result for its rules.\nThe labels defined at the rule level take precedence.\n\nIt requires Prometheus >= 3.0.0.\nThe field is ignored for Thanos Ruler.","type":"object","additionalProperties":{"type":"string"}},"limit":{"description":"limit defines the number of alerts an alerting rule and series a recording\nrule can produce.\nLimit is supported starting with Prometheus >= 2.31 and Thanos Ruler >= 0.24.","type":"integer"},"name":{"description":"name defines the name of the rule group.","type":"string","minLength":1},"partial_response_strategy":{"description":"partial_response_strategy is only used by ThanosRuler and will\nbe ignored by Prometheus instances.\nMore info: https://github.com/thanos-io/thanos/blob/main/docs/components/rule.md#partial-response","type":"string","pattern":"^(?i)(abort|warn)?$"},"query_offset":{"description":"query_offset defines the offset the rule evaluation timestamp of this particular group by the specified duration into the past.\n\nIt requires Prometheus >= v2.53.0.\nIt is not supported for ThanosRuler.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"rules":{"description":"rules defines the list of alerting and recording rules.","type":"array","items":{"description":"Rule describes an alerting or recording rule\nSee Prometheus documentation: [alerting](https://www.prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) or [recording](https://www.prometheus.io/docs/prometheus/latest/configuration/recording_rules/#recording-rules) rule","type":"object","required":["expr"],"properties":{"alert":{"description":"alert defines the name of the alert. Must be a valid label value.\nOnly one of `record` and `alert` must be set.","type":"string"},"annotations":{"description":"annotations defines annotations to add to each alert.\nOnly valid for alerting rules.","type":"object","additionalProperties":{"type":"string"}},"expr":{"description":"expr defines the PromQL expression to evaluate.","x-kubernetes-int-or-string":true},"for":{"description":"for defines how alerts are considered firing once they have been returned for this long.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"keep_firing_for":{"description":"keep_firing_for defines how long an alert will continue firing after the condition that triggered it has cleared.","type":"string","minLength":1,"pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"labels":{"description":"labels defines labels to add or overwrite.","type":"object","additionalProperties":{"type":"string"}},"record":{"description":"record defines the name of the time series to output to. Must be a valid metric name.\nOnly one of `record` and `alert` must be set.","type":"string"}}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"}}},"status":{"description":"status defines the status subresource. It is under active development and is updated only when the\n\"StatusForConfigurationResources\" feature gate is enabled.\n\nMost recent observed status of the PrometheusRule. Read-only.\nMore info:\nhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"bindings":{"description":"bindings defines the list of workload resources (Prometheus, PrometheusAgent, ThanosRuler or Alertmanager) which select the configuration resource.","type":"array","items":{"description":"WorkloadBinding is a link between a configuration resource and a workload resource.","type":"object","required":["group","name","namespace","resource"],"properties":{"conditions":{"description":"conditions defines the current state of the configuration resource when bound to the referenced Workload object.","type":"array","items":{"description":"ConfigResourceCondition describes the status of configuration resources linked to Prometheus, PrometheusAgent, Alertmanager or ThanosRuler.","type":"object","required":["lastTransitionTime","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime defines the time of the last update to the current status property.","type":"string","format":"date-time"},"message":{"description":"message defines the human-readable message indicating details for the condition's last transition.","type":"string"},"observedGeneration":{"description":"observedGeneration defines the .metadata.generation that the\ncondition was set based upon. For instance, if `.metadata.generation` is\ncurrently 12, but the `.status.conditions[].observedGeneration` is 9, the\ncondition is out of date with respect to the current state of the object.","type":"integer","format":"int64"},"reason":{"description":"reason for the condition's last transition.","type":"string"},"status":{"description":"status of the condition.","type":"string","minLength":1},"type":{"description":"type of the condition being reported.\nCurrently, only \"Accepted\" is supported.","type":"string","minLength":1,"enum":["Accepted"]}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"group":{"description":"group defines the group of the referenced resource.","type":"string","enum":["monitoring.coreos.com"]},"name":{"description":"name defines the name of the referenced object.","type":"string","minLength":1},"namespace":{"description":"namespace defines the namespace of the referenced object.","type":"string","minLength":1},"resource":{"description":"resource defines the type of resource being referenced (e.g. Prometheus, PrometheusAgent, ThanosRuler or Alertmanager).","type":"string","enum":["prometheuses","prometheusagents","thanosrulers","alertmanagers"]}}},"x-kubernetes-list-map-keys":["group","resource","name","namespace"],"x-kubernetes-list-type":"map"}}}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"PrometheusRule","version":"v1"}],"title":"com.coreos.monitoring.v1.PrometheusRule"},"com.coreos.monitoring.v1.PrometheusRuleList":{"description":"PrometheusRuleList is a list of PrometheusRule","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of prometheusrules. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.coreos.monitoring.v1.PrometheusRule"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"PrometheusRuleList","version":"v1"}],"title":"com.coreos.monitoring.v1.PrometheusRuleList"},"com.coreos.monitoring.v1.ServiceMonitor":{"description":"The `ServiceMonitor` custom resource definition (CRD) defines how `Prometheus` and `PrometheusAgent` can scrape metrics from a group of services.\nAmong other things, it allows to specify:\n* The services to scrape via label selectors.\n* The container ports to scrape.\n* Authentication credentials to use.\n* Target and metric relabeling.\n\n`Prometheus` and `PrometheusAgent` objects select `ServiceMonitor` objects using label and namespace selectors.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the specification of desired Service selection for target discovery by\nPrometheus.","type":"object","required":["endpoints","selector"],"properties":{"attachMetadata":{"description":"attachMetadata defines additional metadata which is added to the\ndiscovered targets.\n\nIt requires Prometheus >= v2.37.0.","type":"object","properties":{"node":{"description":"node when set to true, Prometheus attaches node metadata to the discovered\ntargets.\n\nThe Prometheus service account must have the `list` and `watch`\npermissions on the `Nodes` objects.","type":"boolean"}}},"bodySizeLimit":{"description":"bodySizeLimit when defined, bodySizeLimit specifies a job level limit on the size\nof uncompressed response body that will be accepted by Prometheus.\n\nIt requires Prometheus >= v2.28.0.","type":"string","pattern":"(^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$"},"convertClassicHistogramsToNHCB":{"description":"convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native histogram with custom buckets.\nIt requires Prometheus >= v3.0.0.","type":"boolean"},"endpoints":{"description":"endpoints defines the list of endpoints part of this ServiceMonitor.\nDefines how to scrape metrics from Kubernetes [Endpoints](https://kubernetes.io/docs/concepts/services-networking/service/#endpoints) objects.\nIn most cases, an Endpoints object is backed by a Kubernetes [Service](https://kubernetes.io/docs/concepts/services-networking/service/) object with the same name and labels.","type":"array","items":{"description":"Endpoint defines an endpoint serving Prometheus metrics to be scraped by\nPrometheus.","type":"object","properties":{"authorization":{"description":"authorization configures the Authorization header credentials used by\nthe client.\n\nCannot be set at the same time as `basicAuth`, `bearerTokenSecret` or `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the Basic Authentication credentials used by the\nclient.\n\nCannot be set at the same time as `authorization`, `bearerTokenSecret` or `oauth2`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenFile":{"description":"bearerTokenFile defines the file to read bearer token for scraping the target.\n\nDeprecated: use `authorization` instead.","type":"string"},"bearerTokenSecret":{"description":"bearerTokenSecret defines a key of a Secret containing the bearer token\nused by the client for authentication. The secret needs to be in the\nsame namespace as the custom resource and readable by the Prometheus\nOperator.\n\nCannot be set at the same time as `authorization`, `basicAuth` or `oauth2`.\n\nDeprecated: use `authorization` instead.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"filterRunning":{"description":"filterRunning when true, the pods which are not running (e.g. either in Failed or\nSucceeded state) are dropped during the target discovery.\n\nIf unset, the filtering is enabled.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether the client should follow HTTP 3xx\nredirects.","type":"boolean"},"honorLabels":{"description":"honorLabels defines when true the metric's labels when they collide\nwith the target's labels.","type":"boolean"},"honorTimestamps":{"description":"honorTimestamps defines whether Prometheus preserves the timestamps\nwhen exposed by the target.","type":"boolean"},"interval":{"description":"interval at which Prometheus scrapes the metrics from the target.\n\nIf empty, Prometheus uses the global scrape interval.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"metricRelabelings":{"description":"metricRelabelings defines the relabeling rules to apply to the\nsamples before ingestion.","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 settings used by the client.\n\nIt requires Prometheus >= 2.27.0.\n\nCannot be set at the same time as `authorization`, `basicAuth` or `bearerTokenSecret`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"params":{"description":"params define optional HTTP URL parameters.","type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"path":{"description":"path defines the HTTP path from which to scrape for metrics.\n\nIf empty, Prometheus uses the default value (e.g. `/metrics`).","type":"string"},"port":{"description":"port defines the name of the Service port which this endpoint refers to.\n\nIt takes precedence over `targetPort`.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"relabelings":{"description":"relabelings defines the relabeling rules to apply the target's\nmetadata labels.\n\nThe Operator automatically adds relabelings for a few standard Kubernetes fields.\n\nThe original scrape job's name is available via the `__tmp_prometheus_job_name` label.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"scheme":{"description":"scheme defines the HTTP scheme to use when scraping the metrics.","type":"string","enum":["http","https","HTTP","HTTPS"]},"scrapeTimeout":{"description":"scrapeTimeout defines the timeout after which Prometheus considers the scrape to be failed.\n\nIf empty, Prometheus uses the global scrape timeout unless it is less\nthan the target's scrape interval value in which the latter is used.\nThe value cannot be greater than the scrape interval otherwise the operator will reject the resource.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"targetPort":{"description":"targetPort defines the name or number of the target port of the `Pod` object behind the\nService. The port must be specified with the container's port property.","x-kubernetes-int-or-string":true},"tlsConfig":{"description":"tlsConfig defines TLS configuration used by the client.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"caFile":{"description":"caFile defines the path to the CA cert in the Prometheus container to use for the targets.","type":"string"},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the client cert file in the Prometheus container for the targets.","type":"string"},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keyFile":{"description":"keyFile defines the path to the client key file in the Prometheus container for the targets.","type":"string"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"trackTimestampsStaleness":{"description":"trackTimestampsStaleness defines whether Prometheus tracks staleness of\nthe metrics that have an explicit timestamp present in scraped data.\nHas no effect if `honorTimestamps` is false.\n\nIt requires Prometheus >= v2.48.0.","type":"boolean"}}}},"fallbackScrapeProtocol":{"description":"fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type.\n\nIt requires Prometheus >= v3.0.0.","type":"string","enum":["PrometheusProto","OpenMetricsText0.0.1","OpenMetricsText1.0.0","PrometheusText0.0.4","PrometheusText1.0.0"]},"jobLabel":{"description":"jobLabel selects the label from the associated Kubernetes `Service`\nobject which will be used as the `job` label for all metrics.\n\nFor example if `jobLabel` is set to `foo` and the Kubernetes `Service`\nobject is labeled with `foo: bar`, then Prometheus adds the `job=\"bar\"`\nlabel to all ingested metrics.\n\nIf the value of this field is empty or if the label doesn't exist for\nthe given Service, the `job` label of the metrics defaults to the name\nof the associated Kubernetes `Service`.","type":"string"},"keepDroppedTargets":{"description":"keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling\nthat will be kept in memory. 0 means no limit.\n\nIt requires Prometheus >= v2.47.0.","type":"integer","format":"int64"},"labelLimit":{"description":"labelLimit defines the per-scrape limit on number of labels that will be accepted for a sample.\n\nIt requires Prometheus >= v2.27.0.","type":"integer","format":"int64"},"labelNameLengthLimit":{"description":"labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample.\n\nIt requires Prometheus >= v2.27.0.","type":"integer","format":"int64"},"labelValueLengthLimit":{"description":"labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample.\n\nIt requires Prometheus >= v2.27.0.","type":"integer","format":"int64"},"namespaceSelector":{"description":"namespaceSelector defines in which namespace(s) Prometheus should discover the services.\nBy default, the services are discovered in the same namespace as the `ServiceMonitor` object but it is possible to select pods across different/all namespaces.","type":"object","properties":{"any":{"description":"any defines the boolean describing whether all namespaces are selected in contrast to a\nlist restricting them.","type":"boolean"},"matchNames":{"description":"matchNames defines the list of namespace names to select from.","type":"array","items":{"type":"string"}}}},"nativeHistogramBucketLimit":{"description":"nativeHistogramBucketLimit defines ff there are more than this many buckets in a native histogram,\nbuckets will be merged to stay within the limit.\nIt requires Prometheus >= v2.45.0.","type":"integer","format":"int64"},"nativeHistogramMinBucketFactor":{"description":"nativeHistogramMinBucketFactor defines if the growth factor of one bucket to the next is smaller than this,\nbuckets will be merged to increase the factor sufficiently.\nIt requires Prometheus >= v2.50.0.","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"podTargetLabels":{"description":"podTargetLabels defines the labels which are transferred from the\nassociated Kubernetes `Pod` object onto the ingested metrics.","type":"array","items":{"type":"string"}},"sampleLimit":{"description":"sampleLimit defines a per-scrape limit on the number of scraped samples\nthat will be accepted.","type":"integer","format":"int64"},"scrapeClass":{"description":"scrapeClass defines the scrape class to apply.","type":"string","minLength":1},"scrapeClassicHistograms":{"description":"scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram.\nIt requires Prometheus >= v2.45.0.\n\nNotice: `scrapeClassicHistograms` corresponds to the `always_scrape_classic_histograms` field in the Prometheus configuration.","type":"boolean"},"scrapeNativeHistograms":{"description":"scrapeNativeHistograms defines whether to enable scraping of native histograms.\nIt requires Prometheus >= v3.8.0.","type":"boolean"},"scrapeProtocols":{"description":"scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the\nprotocols supported by Prometheus in order of preference (from most to least preferred).\n\nIf unset, Prometheus uses its default value.\n\nIt requires Prometheus >= v2.49.0.","type":"array","items":{"description":"ScrapeProtocol represents a protocol used by Prometheus for scraping metrics.\nSupported values are:\n* `OpenMetricsText0.0.1`\n* `OpenMetricsText1.0.0`\n* `PrometheusProto`\n* `PrometheusText0.0.4`\n* `PrometheusText1.0.0`","type":"string","enum":["PrometheusProto","OpenMetricsText0.0.1","OpenMetricsText1.0.0","PrometheusText0.0.4","PrometheusText1.0.0"]},"x-kubernetes-list-type":"set"},"selector":{"description":"selector defines the label selector to select the Kubernetes `Endpoints` objects to scrape metrics from.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"selectorMechanism":{"description":"selectorMechanism defines the mechanism used to select the endpoints to scrape.\nBy default, the selection process relies on relabel configurations to filter the discovered targets.\nAlternatively, you can opt in for role selectors, which may offer better efficiency in large clusters.\nWhich strategy is best for your use case needs to be carefully evaluated.\n\nIt requires Prometheus >= v2.17.0.","type":"string","enum":["RelabelConfig","RoleSelector"]},"serviceDiscoveryRole":{"description":"serviceDiscoveryRole defines the service discovery role used to discover targets.\n\nIf set, the value should be either \"Endpoints\" or \"EndpointSlice\".\nOtherwise it defaults to the value defined in the\nPrometheus/PrometheusAgent resource.","type":"string","enum":["Endpoints","EndpointSlice"]},"targetLabels":{"description":"targetLabels defines the labels which are transferred from the\nassociated Kubernetes `Service` object onto the ingested metrics.","type":"array","items":{"type":"string"}},"targetLimit":{"description":"targetLimit defines a limit on the number of scraped targets that will\nbe accepted.","type":"integer","format":"int64"}}},"status":{"description":"status defines the status subresource. It is under active development and is updated only when the\n\"StatusForConfigurationResources\" feature gate is enabled.\n\nMost recent observed status of the ServiceMonitor. Read-only.\nMore info:\nhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"bindings":{"description":"bindings defines the list of workload resources (Prometheus, PrometheusAgent, ThanosRuler or Alertmanager) which select the configuration resource.","type":"array","items":{"description":"WorkloadBinding is a link between a configuration resource and a workload resource.","type":"object","required":["group","name","namespace","resource"],"properties":{"conditions":{"description":"conditions defines the current state of the configuration resource when bound to the referenced Workload object.","type":"array","items":{"description":"ConfigResourceCondition describes the status of configuration resources linked to Prometheus, PrometheusAgent, Alertmanager or ThanosRuler.","type":"object","required":["lastTransitionTime","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime defines the time of the last update to the current status property.","type":"string","format":"date-time"},"message":{"description":"message defines the human-readable message indicating details for the condition's last transition.","type":"string"},"observedGeneration":{"description":"observedGeneration defines the .metadata.generation that the\ncondition was set based upon. For instance, if `.metadata.generation` is\ncurrently 12, but the `.status.conditions[].observedGeneration` is 9, the\ncondition is out of date with respect to the current state of the object.","type":"integer","format":"int64"},"reason":{"description":"reason for the condition's last transition.","type":"string"},"status":{"description":"status of the condition.","type":"string","minLength":1},"type":{"description":"type of the condition being reported.\nCurrently, only \"Accepted\" is supported.","type":"string","minLength":1,"enum":["Accepted"]}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"group":{"description":"group defines the group of the referenced resource.","type":"string","enum":["monitoring.coreos.com"]},"name":{"description":"name defines the name of the referenced object.","type":"string","minLength":1},"namespace":{"description":"namespace defines the namespace of the referenced object.","type":"string","minLength":1},"resource":{"description":"resource defines the type of resource being referenced (e.g. Prometheus, PrometheusAgent, ThanosRuler or Alertmanager).","type":"string","enum":["prometheuses","prometheusagents","thanosrulers","alertmanagers"]}}},"x-kubernetes-list-map-keys":["group","resource","name","namespace"],"x-kubernetes-list-type":"map"}}}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"ServiceMonitor","version":"v1"}],"title":"com.coreos.monitoring.v1.ServiceMonitor"},"com.coreos.monitoring.v1.ServiceMonitorList":{"description":"ServiceMonitorList is a list of ServiceMonitor","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of servicemonitors. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.coreos.monitoring.v1.ServiceMonitor"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"ServiceMonitorList","version":"v1"}],"title":"com.coreos.monitoring.v1.ServiceMonitorList"},"com.coreos.monitoring.v1.ThanosRuler":{"description":"The `ThanosRuler` custom resource definition (CRD) defines a desired [Thanos Ruler](https://github.com/thanos-io/thanos/blob/main/docs/components/rule.md) setup to run in a Kubernetes cluster.\n\nA `ThanosRuler` instance requires at least one compatible Prometheus API endpoint (either Thanos Querier or Prometheus services).\n\nThe resource defines via label and namespace selectors which `PrometheusRule` objects should be associated to the deployed Thanos Ruler instances.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the specification of the desired behavior of the ThanosRuler cluster. More info:\nhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"additionalArgs":{"description":"additionalArgs defines how to add additional arguments for the ThanosRuler container.\nIt is intended for e.g. activating hidden flags which are not supported by\nthe dedicated configuration options yet. The arguments are passed as-is to the\nThanosRuler container which may cause issues if they are invalid or not supported\nby the given ThanosRuler version.\nIn case of an argument conflict (e.g. an argument which is already set by the\noperator itself) or when providing an invalid argument the reconciliation will\nfail and an error will be logged.","type":"array","items":{"description":"Argument as part of the AdditionalArgs list.","type":"object","required":["name"],"properties":{"name":{"description":"name of the argument, e.g. \"scrape.discovery-reload-interval\".","type":"string","minLength":1},"value":{"description":"value defines the argument value, e.g. 30s. Can be empty for name-only arguments (e.g. --storage.tsdb.no-lockfile)","type":"string"}}}},"affinity":{"description":"affinity defines when specified, the pod's scheduling constraints.","type":"object","properties":{"nodeAffinity":{"description":"Describes node affinity scheduling rules for the pod.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node matches the corresponding matchExpressions; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"An empty preferred scheduling term matches all objects with implicit weight 0\n(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).","type":"object","required":["preference","weight"],"properties":{"preference":{"description":"A node selector term, associated with the corresponding weight.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"description":"Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to an update), the system\nmay or may not try to eventually evict the pod from its node.","type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"description":"Required. A list of node selector terms. The terms are ORed.","type":"array","items":{"description":"A null or empty node selector term matches no objects. The requirements of\nthem are ANDed.\nThe TopologySelectorTerm type implements a subset of the NodeSelectorTerm.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"description":"Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"description":"Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe anti-affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling anti-affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and subtracting\n\"weight\" from the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the anti-affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the anti-affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"alertDropLabels":{"description":"alertDropLabels defines the label names which should be dropped in Thanos Ruler\nalerts.\n\nThe replica label `thanos_ruler_replica` will always be dropped from the alerts.","type":"array","items":{"type":"string"}},"alertQueryUrl":{"description":"alertQueryUrl defines how Thanos Ruler will set in the 'Source' field\nof all alerts.\nMaps to the '--alert.query-url' CLI arg.","type":"string"},"alertRelabelConfigFile":{"description":"alertRelabelConfigFile defines the path to the alert relabeling configuration file.\n\nAlert relabel configuration must have the form as specified in the\nofficial Prometheus documentation:\nhttps://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs\n\nThe operator performs no validation of the configuration file.\n\nThis field takes precedence over `alertRelabelConfig`.","type":"string"},"alertRelabelConfigs":{"description":"alertRelabelConfigs defines the alert relabeling in Thanos Ruler.\n\nAlert relabel configuration must have the form as specified in the\nofficial Prometheus documentation:\nhttps://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs\n\nThe operator performs no validation of the configuration.\n\n`alertRelabelConfigFile` takes precedence over this field.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"alertmanagersConfig":{"description":"alertmanagersConfig defines the list of Alertmanager endpoints to send alerts to.\n\nThe configuration format is defined at https://thanos.io/tip/components/rule.md/#alertmanager.\n\nIt requires Thanos >= v0.10.0.\n\nThe operator performs no validation of the configuration.\n\nThis field takes precedence over `alertmanagersUrl`.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"alertmanagersUrl":{"description":"alertmanagersUrl defines the list of Alertmanager endpoints to send alerts to.\n\nFor Thanos >= v0.10.0, it is recommended to use `alertmanagersConfig` instead.\n\n`alertmanagersConfig` takes precedence over this field.","type":"array","items":{"type":"string"}},"containers":{"description":"containers allows injecting additional containers or modifying operator generated\ncontainers. This can be used to allow adding an authentication proxy to a ThanosRuler pod or\nto change the behavior of an operator generated container. Containers described here modify\nan operator generated container if they share the same name and modifications are done via a\nstrategic merge patch. The current container names are: `thanos-ruler` and `config-reloader`.\nOverriding containers is entirely outside the scope of what the maintainers will support and by doing\nso, you accept that this behaviour may break at any time without notice.","type":"array","items":{"description":"A single application container that you want to run within a pod.","type":"object","required":["name"],"properties":{"args":{"description":"Arguments to the entrypoint.\nThe container image's CMD is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"description":"Entrypoint array. Not executed within a shell.\nThe container image's ENTRYPOINT is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"description":"List of environment variables to set in the container.\nCannot be updated.","type":"array","items":{"description":"EnvVar represents an environment variable present in a Container.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"value":{"description":"Variable references $(VAR_NAME) are expanded\nusing the previously defined environment variables in the container and\nany service environment variables. If a variable cannot be resolved,\nthe reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.\n\"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\".\nEscaped references will never be expanded, regardless of whether the variable\nexists or not.\nDefaults to \"\".","type":"string"},"valueFrom":{"description":"Source for the environment variable's value. Cannot be used if value is not empty.","type":"object","properties":{"configMapKeyRef":{"description":"Selects a key of a ConfigMap.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"description":"Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"description":"FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.","type":"object","required":["key","path","volumeName"],"properties":{"key":{"description":"The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.","type":"string"},"optional":{"description":"Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.","type":"boolean"},"path":{"description":"The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.","type":"string"},"volumeName":{"description":"The name of the volume mount containing the env file.","type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"description":"Selects a key of a secret in the pod's namespace","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"envFrom":{"description":"List of sources to populate environment variables in the container.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nWhen a key exists in multiple\nsources, the value associated with the last source will take precedence.\nValues defined by an Env with a duplicate key will take precedence.\nCannot be updated.","type":"array","items":{"description":"EnvFromSource represents the source of a set of ConfigMaps or Secrets","type":"object","properties":{"configMapRef":{"description":"The ConfigMap to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"description":"Optional text to prepend to the name of each environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"secretRef":{"description":"The Secret to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"image":{"description":"Container image name.\nMore info: https://kubernetes.io/docs/concepts/containers/images\nThis field is optional to allow higher level config management to default or override\ncontainer images in workload controllers like Deployments and StatefulSets.","type":"string"},"imagePullPolicy":{"description":"Image pull policy.\nOne of Always, Never, IfNotPresent.\nDefaults to Always if :latest tag is specified, or IfNotPresent otherwise.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/containers/images#updating-images","type":"string"},"lifecycle":{"description":"Actions that the management system should take in response to container lifecycle events.\nCannot be updated.","type":"object","properties":{"postStart":{"description":"PostStart is called immediately after a container is created. If the handler fails,\nthe container is terminated and restarted according to its restart policy.\nOther management of the container blocks until the hook completes.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"preStop":{"description":"PreStop is called immediately before a container is terminated due to an\nAPI request or management event such as liveness/startup probe failure,\npreemption, resource contention, etc. The handler is not called if the\ncontainer crashes or exits. The Pod's termination grace period countdown begins before the\nPreStop hook is executed. Regardless of the outcome of the handler, the\ncontainer will eventually terminate within the Pod's termination grace\nperiod (unless delayed by finalizers). Other management of the container blocks until the hook completes\nor until the termination grace period is reached.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"stopSignal":{"description":"StopSignal defines which signal will be sent to a container when it is being stopped.\nIf not specified, the default is defined by the container runtime in use.\nStopSignal can only be set for Pods with a non-empty .spec.os.name","type":"string"}}},"livenessProbe":{"description":"Periodic probe of container liveness.\nContainer will be restarted if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"name":{"description":"Name of the container specified as a DNS_LABEL.\nEach container in a pod must have a unique name (DNS_LABEL).\nCannot be updated.","type":"string"},"ports":{"description":"List of ports to expose from the container. Not specifying a port here\nDOES NOT prevent that port from being exposed. Any port which is\nlistening on the default \"0.0.0.0\" address inside a container will be\naccessible from the network.\nModifying this array with strategic merge patch may corrupt the data.\nFor more information See https://github.com/kubernetes/kubernetes/issues/108255.\nCannot be updated.","type":"array","items":{"description":"ContainerPort represents a network port in a single container.","type":"object","required":["containerPort"],"properties":{"containerPort":{"description":"Number of port to expose on the pod's IP address.\nThis must be a valid port number, 0 < x < 65536.","type":"integer","format":"int32"},"hostIP":{"description":"What host IP to bind the external port to.","type":"string"},"hostPort":{"description":"Number of port to expose on the host.\nIf specified, this must be a valid port number, 0 < x < 65536.\nIf HostNetwork is specified, this must match ContainerPort.\nMost containers do not need this.","type":"integer","format":"int32"},"name":{"description":"If specified, this must be an IANA_SVC_NAME and unique within the pod. Each\nnamed port in a pod must have a unique name. Name for the port that can be\nreferred to by services.","type":"string"},"protocol":{"description":"Protocol for port. Must be UDP, TCP, or SCTP.\nDefaults to \"TCP\".","type":"string"}}},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map"},"readinessProbe":{"description":"Periodic probe of container service readiness.\nContainer will be removed from service endpoints if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"resizePolicy":{"description":"Resources resize policy for the container.","type":"array","items":{"description":"ContainerResizePolicy represents resource resize policy for the container.","type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"description":"Name of the resource to which this resource resize policy applies.\nSupported values: cpu, memory.","type":"string"},"restartPolicy":{"description":"Restart policy to apply when specified resource is resized.\nIf not specified, it defaults to NotRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Compute Resources required by this container.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"restartPolicy":{"description":"RestartPolicy defines the restart behavior of individual containers in a pod.\nThis overrides the pod-level restart policy. When this field is not specified,\nthe restart behavior is defined by the Pod's restart policy and the container type.\nAdditionally, setting the RestartPolicy as \"Always\" for the init container will\nhave the following effect:\nthis init container will be continually restarted on\nexit until all regular containers have terminated. Once all regular\ncontainers have completed, all init containers with restartPolicy \"Always\"\nwill be shut down. This lifecycle differs from normal init containers and\nis often referred to as a \"sidecar\" container. Although this init\ncontainer still starts in the init container sequence, it does not wait\nfor the container to complete before proceeding to the next init\ncontainer. Instead, the next init container starts immediately after this\ninit container is started, or after any startupProbe has successfully\ncompleted.","type":"string"},"restartPolicyRules":{"description":"Represents a list of rules to be checked to determine if the\ncontainer should be restarted on exit. The rules are evaluated in\norder. Once a rule matches a container exit condition, the remaining\nrules are ignored. If no rule matches the container exit condition,\nthe Container-level restart policy determines the whether the container\nis restarted or not. Constraints on the rules:\n- At most 20 rules are allowed.\n- Rules can have the same action.\n- Identical rules are not forbidden in validations.\nWhen rules are specified, container MUST set RestartPolicy explicitly\neven it if matches the Pod's RestartPolicy.","type":"array","items":{"description":"ContainerRestartRule describes how a container exit is handled.","type":"object","required":["action"],"properties":{"action":{"description":"Specifies the action taken on a container exit if the requirements\nare satisfied. The only possible value is \"Restart\" to restart the\ncontainer.","type":"string"},"exitCodes":{"description":"Represents the exit codes to check on container exits.","type":"object","required":["operator"],"properties":{"operator":{"description":"Represents the relationship between the container exit code(s) and the\nspecified values. Possible values are:\n- In: the requirement is satisfied if the container exit code is in the\n  set of specified values.\n- NotIn: the requirement is satisfied if the container exit code is\n  not in the set of specified values.","type":"string"},"values":{"description":"Specifies the set of values to check for container exit codes.\nAt most 255 elements are allowed.","type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}}}},"x-kubernetes-list-type":"atomic"},"securityContext":{"description":"SecurityContext defines the security options the container should be run with.\nIf set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","type":"object","properties":{"allowPrivilegeEscalation":{"description":"AllowPrivilegeEscalation controls whether a process can gain more\nprivileges than its parent process. This bool directly controls if\nthe no_new_privs flag will be set on the container process.\nAllowPrivilegeEscalation is true always when the container is:\n1) run as Privileged\n2) has CAP_SYS_ADMIN\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by this container. If set, this profile\noverrides the pod's appArmorProfile.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".","type":"string"},"type":{"description":"type indicates which kind of AppArmor profile will be applied.\nValid options are:\n  Localhost - a profile pre-loaded on the node.\n  RuntimeDefault - the container runtime's default profile.\n  Unconfined - no AppArmor enforcement.","type":"string"}}},"capabilities":{"description":"The capabilities to add/drop when running containers.\nDefaults to the default set of capabilities granted by the container runtime.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"add":{"description":"Added capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"description":"Removed capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"description":"Run container in privileged mode.\nProcesses in privileged containers are essentially equivalent to root on the host.\nDefaults to false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"procMount":{"description":"procMount denotes the type of proc mount to use for the containers.\nThe default value is Default which uses the container runtime defaults for\nreadonly paths and masked paths.\nThis requires the ProcMountType feature flag to be enabled.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"readOnlyRootFilesystem":{"description":"Whether this container has a read-only root filesystem.\nDefault is false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to the container.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by this container. If seccomp options are\nprovided at both the pod & container level, the container options\noverride the pod options.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"windowsOptions":{"description":"The Windows specific settings applied to all containers.\nIf unspecified, the options from the PodSecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.","type":"object","properties":{"gmsaCredentialSpec":{"description":"GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.","type":"string"},"gmsaCredentialSpecName":{"description":"GMSACredentialSpecName is the name of the GMSA credential spec to use.","type":"string"},"hostProcess":{"description":"HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.","type":"boolean"},"runAsUserName":{"description":"The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"string"}}}}},"startupProbe":{"description":"StartupProbe indicates that the Pod has successfully initialized.\nIf specified, no other probes are executed until this completes successfully.\nIf this probe fails, the Pod will be restarted, just as if the livenessProbe failed.\nThis can be used to provide different probe parameters at the beginning of a Pod's lifecycle,\nwhen it might take a long time to load data or warm a cache, than during steady-state operation.\nThis cannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"stdin":{"description":"Whether this container should allocate a buffer for stdin in the container runtime. If this\nis not set, reads from stdin in the container will always result in EOF.\nDefault is false.","type":"boolean"},"stdinOnce":{"description":"Whether the container runtime should close the stdin channel after it has been opened by\na single attach. When stdin is true the stdin stream will remain open across multiple attach\nsessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the\nfirst client attaches to stdin, and then remains open and accepts data until the client disconnects,\nat which time stdin is closed and remains closed until the container is restarted. If this\nflag is false, a container processes that reads from stdin will never receive an EOF.\nDefault is false","type":"boolean"},"terminationMessagePath":{"description":"Optional: Path at which the file to which the container's termination message\nwill be written is mounted into the container's filesystem.\nMessage written is intended to be brief final status, such as an assertion failure message.\nWill be truncated by the node if greater than 4096 bytes. The total message length across\nall containers will be limited to 12kb.\nDefaults to /dev/termination-log.\nCannot be updated.","type":"string"},"terminationMessagePolicy":{"description":"Indicate how the termination message should be populated. File will use the contents of\nterminationMessagePath to populate the container status message on both success and failure.\nFallbackToLogsOnError will use the last chunk of container log output if the termination\nmessage file is empty and the container exited with an error.\nThe log output is limited to 2048 bytes or 80 lines, whichever is smaller.\nDefaults to File.\nCannot be updated.","type":"string"},"tty":{"description":"Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.\nDefault is false.","type":"boolean"},"volumeDevices":{"description":"volumeDevices is the list of block devices to be used by the container.","type":"array","items":{"description":"volumeDevice describes a mapping of a raw block device within a container.","type":"object","required":["devicePath","name"],"properties":{"devicePath":{"description":"devicePath is the path inside of the container that the device will be mapped to.","type":"string"},"name":{"description":"name must match the name of a persistentVolumeClaim in the pod","type":"string"}}},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map"},"volumeMounts":{"description":"Pod volumes to mount into the container's filesystem.\nCannot be updated.","type":"array","items":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["mountPath","name"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted.  Must\nnot contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host\nto container and the other way around.\nWhen not set, MountPropagationNone is used.\nThis field is beta in 1.10.\nWhen RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified\n(which defaults to None).","type":"string"},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified).\nDefaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled\nrecursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made\nrecursively read-only.  If this field is set to IfPossible, the mount is made\nrecursively read-only, if it is supported by the container runtime.  If this\nfield is set to Enabled, the mount is made recursively read-only if it is\nsupported by the container runtime, otherwise the pod will not be started and\nan error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to\nNone (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted.\nDefaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted.\nBehaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.\nDefaults to \"\" (volume's root).\nSubPathExpr and SubPath are mutually exclusive.","type":"string"}}},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map"},"workingDir":{"description":"Container's working directory.\nIf not specified, the container runtime's default will be used, which\nmight be configured in the container image.\nCannot be updated.","type":"string"}}}},"dnsConfig":{"description":"dnsConfig defines Defines the DNS configuration for the pods.","type":"object","properties":{"nameservers":{"description":"nameservers defines the list of DNS name server IP addresses.\nThis will be appended to the base nameservers generated from DNSPolicy.","type":"array","items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"},"options":{"description":"options defines the list of DNS resolver options.\nThis will be merged with the base options generated from DNSPolicy.\nResolution options given in Options\nwill override those that appear in the base DNSPolicy.","type":"array","items":{"description":"PodDNSConfigOption defines DNS resolver options of a pod.","type":"object","required":["name"],"properties":{"name":{"description":"name is required and must be unique.","type":"string","minLength":1},"value":{"description":"value is optional.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"searches":{"description":"searches defines the list of DNS search domains for host-name lookup.\nThis will be appended to the base search paths generated from DNSPolicy.","type":"array","items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"}}},"dnsPolicy":{"description":"dnsPolicy defines the DNS policy for the pods.","type":"string","enum":["ClusterFirstWithHostNet","ClusterFirst","Default","None"]},"enableFeatures":{"description":"enableFeatures defines how to setup Thanos Ruler feature flags. By default, no features are enabled.\n\nEnabling features which are disabled by default is entirely outside the\nscope of what the maintainers will support and by doing so, you accept\nthat this behaviour may break at any time without notice.\n\nFor more information see https://thanos.io/tip/components/rule.md/\n\nIt requires Thanos >= 0.39.0.","type":"array","items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"},"enableServiceLinks":{"description":"enableServiceLinks defines whether information about services should be injected into pod's environment variables","type":"boolean"},"enforcedNamespaceLabel":{"description":"enforcedNamespaceLabel enforces adding a namespace label of origin for each alert\nand metric that is user created. The label value will always be the namespace of the object that is\nbeing created.","type":"string"},"evaluationInterval":{"description":"evaluationInterval defines the interval between consecutive evaluations.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"excludedFromEnforcement":{"description":"excludedFromEnforcement defines the list of references to PrometheusRule objects\nto be excluded from enforcing a namespace label of origin.\nApplies only if enforcedNamespaceLabel set to true.","type":"array","items":{"description":"ObjectReference references a PodMonitor, ServiceMonitor, Probe or PrometheusRule object.","type":"object","required":["namespace","resource"],"properties":{"group":{"description":"group of the referent. When not specified, it defaults to `monitoring.coreos.com`","type":"string","enum":["monitoring.coreos.com"]},"name":{"description":"name of the referent. When not set, all resources in the namespace are matched.","type":"string"},"namespace":{"description":"namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string","minLength":1},"resource":{"description":"resource of the referent.","type":"string","enum":["prometheusrules","servicemonitors","podmonitors","probes","scrapeconfigs"]}}}},"externalPrefix":{"description":"externalPrefix defines the Thanos Ruler instances will be available under. This is\nnecessary to generate correct URLs. This is necessary if Thanos Ruler is not\nserved from root of a DNS name.","type":"string"},"grpcServerTlsConfig":{"description":"grpcServerTlsConfig defines the gRPC server from which Thanos Querier reads\nrecorded rule data.\nNote: Currently only the CAFile, CertFile, and KeyFile fields are supported.\nMaps to the '--grpc-server-tls-*' CLI args.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"caFile":{"description":"caFile defines the path to the CA cert in the Prometheus container to use for the targets.","type":"string"},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the client cert file in the Prometheus container for the targets.","type":"string"},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keyFile":{"description":"keyFile defines the path to the client key file in the Prometheus container for the targets.","type":"string"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"hostAliases":{"description":"hostAliases defines pods' hostAliases configuration","type":"array","items":{"description":"HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the\npod's hosts file.","type":"object","required":["hostnames","ip"],"properties":{"hostnames":{"description":"hostnames defines hostnames for the above IP address.","type":"array","items":{"type":"string"}},"ip":{"description":"ip defines the IP address of the host file entry.","type":"string"}}},"x-kubernetes-list-map-keys":["ip"],"x-kubernetes-list-type":"map"},"hostUsers":{"description":"hostUsers supports the user space in Kubernetes.\n\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/\n\nThe feature requires at least Kubernetes 1.28 with the `UserNamespacesSupport` feature gate enabled.\nStarting Kubernetes 1.33, the feature is enabled by default.","type":"boolean"},"image":{"description":"image defines Thanos container image URL.","type":"string"},"imagePullPolicy":{"description":"imagePullPolicy defines for the 'thanos', 'init-config-reloader' and 'config-reloader' containers.\nSee https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for more details.","type":"string","enum":["","Always","Never","IfNotPresent"]},"imagePullSecrets":{"description":"imagePullSecrets defines an optional list of references to secrets in the same namespace\nto use for pulling thanos images from registries\nsee http://kubernetes.io/docs/user-guide/images#specifying-imagepullsecrets-on-a-pod","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"initContainers":{"description":"initContainers allows adding initContainers to the pod definition. Those can be used to e.g.\nfetch secrets for injection into the ThanosRuler configuration from external sources. Any\nerrors during the execution of an initContainer will lead to a restart of the Pod.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/\nUsing initContainers for any use case other then secret fetching is entirely outside the scope\nof what the maintainers will support and by doing so, you accept that this behaviour may break\nat any time without notice.","type":"array","items":{"description":"A single application container that you want to run within a pod.","type":"object","required":["name"],"properties":{"args":{"description":"Arguments to the entrypoint.\nThe container image's CMD is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"description":"Entrypoint array. Not executed within a shell.\nThe container image's ENTRYPOINT is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"description":"List of environment variables to set in the container.\nCannot be updated.","type":"array","items":{"description":"EnvVar represents an environment variable present in a Container.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"value":{"description":"Variable references $(VAR_NAME) are expanded\nusing the previously defined environment variables in the container and\nany service environment variables. If a variable cannot be resolved,\nthe reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.\n\"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\".\nEscaped references will never be expanded, regardless of whether the variable\nexists or not.\nDefaults to \"\".","type":"string"},"valueFrom":{"description":"Source for the environment variable's value. Cannot be used if value is not empty.","type":"object","properties":{"configMapKeyRef":{"description":"Selects a key of a ConfigMap.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"description":"Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"description":"FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.","type":"object","required":["key","path","volumeName"],"properties":{"key":{"description":"The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.","type":"string"},"optional":{"description":"Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.","type":"boolean"},"path":{"description":"The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.","type":"string"},"volumeName":{"description":"The name of the volume mount containing the env file.","type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"description":"Selects a key of a secret in the pod's namespace","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"envFrom":{"description":"List of sources to populate environment variables in the container.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nWhen a key exists in multiple\nsources, the value associated with the last source will take precedence.\nValues defined by an Env with a duplicate key will take precedence.\nCannot be updated.","type":"array","items":{"description":"EnvFromSource represents the source of a set of ConfigMaps or Secrets","type":"object","properties":{"configMapRef":{"description":"The ConfigMap to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"description":"Optional text to prepend to the name of each environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"secretRef":{"description":"The Secret to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"image":{"description":"Container image name.\nMore info: https://kubernetes.io/docs/concepts/containers/images\nThis field is optional to allow higher level config management to default or override\ncontainer images in workload controllers like Deployments and StatefulSets.","type":"string"},"imagePullPolicy":{"description":"Image pull policy.\nOne of Always, Never, IfNotPresent.\nDefaults to Always if :latest tag is specified, or IfNotPresent otherwise.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/containers/images#updating-images","type":"string"},"lifecycle":{"description":"Actions that the management system should take in response to container lifecycle events.\nCannot be updated.","type":"object","properties":{"postStart":{"description":"PostStart is called immediately after a container is created. If the handler fails,\nthe container is terminated and restarted according to its restart policy.\nOther management of the container blocks until the hook completes.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"preStop":{"description":"PreStop is called immediately before a container is terminated due to an\nAPI request or management event such as liveness/startup probe failure,\npreemption, resource contention, etc. The handler is not called if the\ncontainer crashes or exits. The Pod's termination grace period countdown begins before the\nPreStop hook is executed. Regardless of the outcome of the handler, the\ncontainer will eventually terminate within the Pod's termination grace\nperiod (unless delayed by finalizers). Other management of the container blocks until the hook completes\nor until the termination grace period is reached.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"stopSignal":{"description":"StopSignal defines which signal will be sent to a container when it is being stopped.\nIf not specified, the default is defined by the container runtime in use.\nStopSignal can only be set for Pods with a non-empty .spec.os.name","type":"string"}}},"livenessProbe":{"description":"Periodic probe of container liveness.\nContainer will be restarted if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"name":{"description":"Name of the container specified as a DNS_LABEL.\nEach container in a pod must have a unique name (DNS_LABEL).\nCannot be updated.","type":"string"},"ports":{"description":"List of ports to expose from the container. Not specifying a port here\nDOES NOT prevent that port from being exposed. Any port which is\nlistening on the default \"0.0.0.0\" address inside a container will be\naccessible from the network.\nModifying this array with strategic merge patch may corrupt the data.\nFor more information See https://github.com/kubernetes/kubernetes/issues/108255.\nCannot be updated.","type":"array","items":{"description":"ContainerPort represents a network port in a single container.","type":"object","required":["containerPort"],"properties":{"containerPort":{"description":"Number of port to expose on the pod's IP address.\nThis must be a valid port number, 0 < x < 65536.","type":"integer","format":"int32"},"hostIP":{"description":"What host IP to bind the external port to.","type":"string"},"hostPort":{"description":"Number of port to expose on the host.\nIf specified, this must be a valid port number, 0 < x < 65536.\nIf HostNetwork is specified, this must match ContainerPort.\nMost containers do not need this.","type":"integer","format":"int32"},"name":{"description":"If specified, this must be an IANA_SVC_NAME and unique within the pod. Each\nnamed port in a pod must have a unique name. Name for the port that can be\nreferred to by services.","type":"string"},"protocol":{"description":"Protocol for port. Must be UDP, TCP, or SCTP.\nDefaults to \"TCP\".","type":"string"}}},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map"},"readinessProbe":{"description":"Periodic probe of container service readiness.\nContainer will be removed from service endpoints if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"resizePolicy":{"description":"Resources resize policy for the container.","type":"array","items":{"description":"ContainerResizePolicy represents resource resize policy for the container.","type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"description":"Name of the resource to which this resource resize policy applies.\nSupported values: cpu, memory.","type":"string"},"restartPolicy":{"description":"Restart policy to apply when specified resource is resized.\nIf not specified, it defaults to NotRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Compute Resources required by this container.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"restartPolicy":{"description":"RestartPolicy defines the restart behavior of individual containers in a pod.\nThis overrides the pod-level restart policy. When this field is not specified,\nthe restart behavior is defined by the Pod's restart policy and the container type.\nAdditionally, setting the RestartPolicy as \"Always\" for the init container will\nhave the following effect:\nthis init container will be continually restarted on\nexit until all regular containers have terminated. Once all regular\ncontainers have completed, all init containers with restartPolicy \"Always\"\nwill be shut down. This lifecycle differs from normal init containers and\nis often referred to as a \"sidecar\" container. Although this init\ncontainer still starts in the init container sequence, it does not wait\nfor the container to complete before proceeding to the next init\ncontainer. Instead, the next init container starts immediately after this\ninit container is started, or after any startupProbe has successfully\ncompleted.","type":"string"},"restartPolicyRules":{"description":"Represents a list of rules to be checked to determine if the\ncontainer should be restarted on exit. The rules are evaluated in\norder. Once a rule matches a container exit condition, the remaining\nrules are ignored. If no rule matches the container exit condition,\nthe Container-level restart policy determines the whether the container\nis restarted or not. Constraints on the rules:\n- At most 20 rules are allowed.\n- Rules can have the same action.\n- Identical rules are not forbidden in validations.\nWhen rules are specified, container MUST set RestartPolicy explicitly\neven it if matches the Pod's RestartPolicy.","type":"array","items":{"description":"ContainerRestartRule describes how a container exit is handled.","type":"object","required":["action"],"properties":{"action":{"description":"Specifies the action taken on a container exit if the requirements\nare satisfied. The only possible value is \"Restart\" to restart the\ncontainer.","type":"string"},"exitCodes":{"description":"Represents the exit codes to check on container exits.","type":"object","required":["operator"],"properties":{"operator":{"description":"Represents the relationship between the container exit code(s) and the\nspecified values. Possible values are:\n- In: the requirement is satisfied if the container exit code is in the\n  set of specified values.\n- NotIn: the requirement is satisfied if the container exit code is\n  not in the set of specified values.","type":"string"},"values":{"description":"Specifies the set of values to check for container exit codes.\nAt most 255 elements are allowed.","type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}}}},"x-kubernetes-list-type":"atomic"},"securityContext":{"description":"SecurityContext defines the security options the container should be run with.\nIf set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","type":"object","properties":{"allowPrivilegeEscalation":{"description":"AllowPrivilegeEscalation controls whether a process can gain more\nprivileges than its parent process. This bool directly controls if\nthe no_new_privs flag will be set on the container process.\nAllowPrivilegeEscalation is true always when the container is:\n1) run as Privileged\n2) has CAP_SYS_ADMIN\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by this container. If set, this profile\noverrides the pod's appArmorProfile.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".","type":"string"},"type":{"description":"type indicates which kind of AppArmor profile will be applied.\nValid options are:\n  Localhost - a profile pre-loaded on the node.\n  RuntimeDefault - the container runtime's default profile.\n  Unconfined - no AppArmor enforcement.","type":"string"}}},"capabilities":{"description":"The capabilities to add/drop when running containers.\nDefaults to the default set of capabilities granted by the container runtime.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"add":{"description":"Added capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"description":"Removed capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"description":"Run container in privileged mode.\nProcesses in privileged containers are essentially equivalent to root on the host.\nDefaults to false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"procMount":{"description":"procMount denotes the type of proc mount to use for the containers.\nThe default value is Default which uses the container runtime defaults for\nreadonly paths and masked paths.\nThis requires the ProcMountType feature flag to be enabled.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"readOnlyRootFilesystem":{"description":"Whether this container has a read-only root filesystem.\nDefault is false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to the container.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by this container. If seccomp options are\nprovided at both the pod & container level, the container options\noverride the pod options.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"windowsOptions":{"description":"The Windows specific settings applied to all containers.\nIf unspecified, the options from the PodSecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.","type":"object","properties":{"gmsaCredentialSpec":{"description":"GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.","type":"string"},"gmsaCredentialSpecName":{"description":"GMSACredentialSpecName is the name of the GMSA credential spec to use.","type":"string"},"hostProcess":{"description":"HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.","type":"boolean"},"runAsUserName":{"description":"The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"string"}}}}},"startupProbe":{"description":"StartupProbe indicates that the Pod has successfully initialized.\nIf specified, no other probes are executed until this completes successfully.\nIf this probe fails, the Pod will be restarted, just as if the livenessProbe failed.\nThis can be used to provide different probe parameters at the beginning of a Pod's lifecycle,\nwhen it might take a long time to load data or warm a cache, than during steady-state operation.\nThis cannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"stdin":{"description":"Whether this container should allocate a buffer for stdin in the container runtime. If this\nis not set, reads from stdin in the container will always result in EOF.\nDefault is false.","type":"boolean"},"stdinOnce":{"description":"Whether the container runtime should close the stdin channel after it has been opened by\na single attach. When stdin is true the stdin stream will remain open across multiple attach\nsessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the\nfirst client attaches to stdin, and then remains open and accepts data until the client disconnects,\nat which time stdin is closed and remains closed until the container is restarted. If this\nflag is false, a container processes that reads from stdin will never receive an EOF.\nDefault is false","type":"boolean"},"terminationMessagePath":{"description":"Optional: Path at which the file to which the container's termination message\nwill be written is mounted into the container's filesystem.\nMessage written is intended to be brief final status, such as an assertion failure message.\nWill be truncated by the node if greater than 4096 bytes. The total message length across\nall containers will be limited to 12kb.\nDefaults to /dev/termination-log.\nCannot be updated.","type":"string"},"terminationMessagePolicy":{"description":"Indicate how the termination message should be populated. File will use the contents of\nterminationMessagePath to populate the container status message on both success and failure.\nFallbackToLogsOnError will use the last chunk of container log output if the termination\nmessage file is empty and the container exited with an error.\nThe log output is limited to 2048 bytes or 80 lines, whichever is smaller.\nDefaults to File.\nCannot be updated.","type":"string"},"tty":{"description":"Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.\nDefault is false.","type":"boolean"},"volumeDevices":{"description":"volumeDevices is the list of block devices to be used by the container.","type":"array","items":{"description":"volumeDevice describes a mapping of a raw block device within a container.","type":"object","required":["devicePath","name"],"properties":{"devicePath":{"description":"devicePath is the path inside of the container that the device will be mapped to.","type":"string"},"name":{"description":"name must match the name of a persistentVolumeClaim in the pod","type":"string"}}},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map"},"volumeMounts":{"description":"Pod volumes to mount into the container's filesystem.\nCannot be updated.","type":"array","items":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["mountPath","name"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted.  Must\nnot contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host\nto container and the other way around.\nWhen not set, MountPropagationNone is used.\nThis field is beta in 1.10.\nWhen RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified\n(which defaults to None).","type":"string"},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified).\nDefaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled\nrecursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made\nrecursively read-only.  If this field is set to IfPossible, the mount is made\nrecursively read-only, if it is supported by the container runtime.  If this\nfield is set to Enabled, the mount is made recursively read-only if it is\nsupported by the container runtime, otherwise the pod will not be started and\nan error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to\nNone (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted.\nDefaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted.\nBehaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.\nDefaults to \"\" (volume's root).\nSubPathExpr and SubPath are mutually exclusive.","type":"string"}}},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map"},"workingDir":{"description":"Container's working directory.\nIf not specified, the container runtime's default will be used, which\nmight be configured in the container image.\nCannot be updated.","type":"string"}}}},"labels":{"description":"labels defines the external label pairs of the ThanosRuler resource.\n\nA default replica label `thanos_ruler_replica` will be always added as a\nlabel with the value of the pod's name.","type":"object","additionalProperties":{"type":"string"}},"listenLocal":{"description":"listenLocal defines the Thanos ruler listen on loopback, so that it\ndoes not bind against the Pod IP.","type":"boolean"},"logFormat":{"description":"logFormat for ThanosRuler to be configured with.","type":"string","enum":["","logfmt","json"]},"logLevel":{"description":"logLevel for ThanosRuler to be configured with.","type":"string","enum":["","debug","info","warn","error"]},"minReadySeconds":{"description":"minReadySeconds defines the minimum number of seconds for which a newly created pod should be ready\nwithout any of its container crashing for it to be considered available.\n\nIf unset, pods will be considered available as soon as they are ready.","type":"integer","format":"int32","minimum":0},"nodeSelector":{"description":"nodeSelector defines which Nodes the Pods are scheduled on.","type":"object","additionalProperties":{"type":"string"}},"objectStorageConfig":{"description":"objectStorageConfig defines the configuration format is defined at https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage\n\nThe operator performs no validation of the configuration.\n\n`objectStorageConfigFile` takes precedence over this field.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"objectStorageConfigFile":{"description":"objectStorageConfigFile defines the path of the object storage configuration file.\n\nThe configuration format is defined at https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage\n\nThe operator performs no validation of the configuration file.\n\nThis field takes precedence over `objectStorageConfig`.","type":"string"},"paused":{"description":"paused defines when a ThanosRuler deployment is paused, no actions except for deletion\nwill be performed on the underlying objects.","type":"boolean"},"podManagementPolicy":{"description":"podManagementPolicy defines the policy for creating/deleting pods when\nscaling up and down.\n\nUnlike the default StatefulSet behavior, the default policy is\n`Parallel` to avoid manual intervention in case a pod gets stuck during\na rollout.\n\nNote that updating this value implies the recreation of the StatefulSet\nwhich incurs a service outage.","type":"string","enum":["OrderedReady","Parallel"]},"podMetadata":{"description":"podMetadata defines labels and annotations which are propagated to the ThanosRuler pods.\n\nThe following items are reserved and cannot be overridden:\n* \"app.kubernetes.io/name\" label, set to \"thanos-ruler\".\n* \"app.kubernetes.io/managed-by\" label, set to \"prometheus-operator\".\n* \"app.kubernetes.io/instance\" label, set to the name of the ThanosRuler instance.\n* \"thanos-ruler\" label, set to the name of the ThanosRuler instance.\n* \"kubectl.kubernetes.io/default-container\" annotation, set to \"thanos-ruler\".","type":"object","properties":{"annotations":{"description":"annotations defines an unstructured key value map stored with a resource that may be\nset by external tools to store and retrieve arbitrary metadata. They are not\nqueryable and should be preserved when modifying objects.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"labels define the map of string keys and values that can be used to organize and categorize\n(scope and select) objects. May match selectors of replication controllers\nand services.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/","type":"string"}}},"portName":{"description":"portName defines the port name used for the pods and governing service.\nDefaults to `web`.","type":"string"},"priorityClassName":{"description":"priorityClassName defines the priority class assigned to the Pods","type":"string"},"prometheusRulesExcludedFromEnforce":{"description":"prometheusRulesExcludedFromEnforce defines a list of Prometheus rules to be excluded from enforcing\nof adding namespace labels. Works only if enforcedNamespaceLabel set to true.\nMake sure both ruleNamespace and ruleName are set for each pair\nDeprecated: use excludedFromEnforcement instead.","type":"array","items":{"description":"PrometheusRuleExcludeConfig enables users to configure excluded\nPrometheusRule names and their namespaces to be ignored while enforcing\nnamespace label for alerts and metrics.","type":"object","required":["ruleName","ruleNamespace"],"properties":{"ruleName":{"description":"ruleName defines the name of the excluded PrometheusRule object.","type":"string"},"ruleNamespace":{"description":"ruleNamespace defines the namespace of the excluded PrometheusRule object.","type":"string"}}}},"queryConfig":{"description":"queryConfig defines the list of Thanos Query endpoints from which to query metrics.\n\nThe configuration format is defined at https://thanos.io/tip/components/rule.md/#query-api\n\nIt requires Thanos >= v0.11.0.\n\nThe operator performs no validation of the configuration.\n\nThis field takes precedence over `queryEndpoints`.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"queryEndpoints":{"description":"queryEndpoints defines the list of Thanos Query endpoints from which to query metrics.\n\nFor Thanos >= v0.11.0, it is recommended to use `queryConfig` instead.\n\n`queryConfig` takes precedence over this field.","type":"array","items":{"type":"string"}},"remoteWrite":{"description":"remoteWrite defines the list of remote write configurations.\n\nWhen the list isn't empty, the ruler is configured with stateless mode.\n\nIt requires Thanos >= 0.24.0.","type":"array","items":{"description":"RemoteWriteSpec defines the configuration to write samples from Prometheus\nto a remote endpoint.","type":"object","required":["url"],"properties":{"authorization":{"description":"authorization section for the URL.\n\nIt requires Prometheus >= v2.26.0 or Thanos >= v0.24.0.\n\nCannot be set at the same time as `sigv4`, `basicAuth`, `oauth2`, or `azureAd`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"credentialsFile":{"description":"credentialsFile defines the file to read a secret from, mutually exclusive with `credentials`.","type":"string"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"azureAd":{"description":"azureAd for the URL.\n\nIt requires Prometheus >= v2.45.0 or Thanos >= v0.31.0.\n\nCannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `sigv4`.","type":"object","properties":{"cloud":{"description":"cloud defines the Azure Cloud. Options are 'AzurePublic', 'AzureChina', or 'AzureGovernment'.","type":"string","enum":["AzureChina","AzureGovernment","AzurePublic"]},"managedIdentity":{"description":"managedIdentity defines the Azure User-assigned Managed identity.\nCannot be set at the same time as `oauth`, `sdk` or `workloadIdentity`.","type":"object","properties":{"clientId":{"description":"clientId defines the Azure User-assigned Managed identity.\n\nFor Prometheus >= 3.5.0 and Thanos >= 0.40.0, this field is allowed to be empty to support system-assigned managed identities.","type":"string","minLength":1}}},"oauth":{"description":"oauth defines the oauth config that is being used to authenticate.\nCannot be set at the same time as `managedIdentity`, `sdk` or `workloadIdentity`.\n\nIt requires Prometheus >= v2.48.0 or Thanos >= v0.31.0.","type":"object","required":["clientId","clientSecret","tenantId"],"properties":{"clientId":{"description":"clientId defines the clientId of the Azure Active Directory application that is being used to authenticate.","type":"string","minLength":1},"clientSecret":{"description":"clientSecret specifies a key of a Secret containing the client secret of the Azure Active Directory application that is being used to authenticate.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"tenantId":{"description":"tenantId is the tenant ID of the Azure Active Directory application that is being used to authenticate.","type":"string","minLength":1,"pattern":"^[0-9a-zA-Z-.]+$"}}},"scope":{"description":"scope is the custom OAuth 2.0 scope to request when acquiring tokens.\nIt requires Prometheus >= 3.9.0. Currently not supported by Thanos.","type":"string","pattern":"^[\\w\\s:/.\\\\-]+$"},"sdk":{"description":"sdk defines the Azure SDK config that is being used to authenticate.\nSee https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication\nCannot be set at the same time as `oauth`, `managedIdentity` or `workloadIdentity`.\n\nIt requires Prometheus >= v2.52.0 or Thanos >= v0.36.0.","type":"object","properties":{"tenantId":{"description":"tenantId defines the tenant ID of the azure active directory application that is being used to authenticate.","type":"string","pattern":"^[0-9a-zA-Z-.]+$"}}},"workloadIdentity":{"description":"workloadIdentity defines the Azure Workload Identity authentication.\nCannot be set at the same time as `oauth`, `managedIdentity`, or `sdk`.\n\nIt requires Prometheus >= 3.7.0. Currently not supported by Thanos.","type":"object","required":["clientId","tenantId"],"properties":{"clientId":{"description":"clientId is the clientID of the Azure Active Directory application.","type":"string","minLength":1},"tenantId":{"description":"tenantId is the tenant ID of the Azure Active Directory application.","type":"string","minLength":1}}}}},"basicAuth":{"description":"basicAuth configuration for the URL.\n\nCannot be set at the same time as `sigv4`, `authorization`, `oauth2`, or `azureAd`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerToken":{"description":"bearerToken is deprecated: this will be removed in a future release.\n*Warning: this field shouldn't be used because the token value appears\nin clear-text. Prefer using `authorization`.*","type":"string"},"bearerTokenFile":{"description":"bearerTokenFile defines the file from which to read bearer token for the URL.\n\nDeprecated: this will be removed in a future release. Prefer using `authorization`.","type":"string"},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.\n\nIt requires Prometheus >= v2.26.0 or Thanos >= v0.24.0.","type":"boolean"},"headers":{"description":"headers defines the custom HTTP headers to be sent along with each remote write request.\nBe aware that headers that are set by Prometheus itself can't be overwritten.\n\nIt requires Prometheus >= v2.25.0 or Thanos >= v0.24.0.","type":"object","additionalProperties":{"type":"string"}},"messageVersion":{"description":"messageVersion defines the Remote Write message's version to use when writing to the endpoint.\n\n`Version1.0` corresponds to the `prometheus.WriteRequest` protobuf message introduced in Remote Write 1.0.\n`Version2.0` corresponds to the `io.prometheus.write.v2.Request` protobuf message introduced in Remote Write 2.0.\n\nWhen `Version2.0` is selected, Prometheus will automatically be\nconfigured to append the metadata of scraped metrics to the WAL.\n\nBefore setting this field, consult with your remote storage provider\nwhat message version it supports.\n\nIt requires Prometheus >= v2.54.0 or Thanos >= v0.37.0.","type":"string","enum":["V1.0","V2.0"]},"metadataConfig":{"description":"metadataConfig defines how to send a series metadata to the remote storage.\n\nWhen the field is empty, **no metadata** is sent. But when the field is\nnull, metadata is sent.","type":"object","properties":{"maxSamplesPerSend":{"description":"maxSamplesPerSend defines the maximum number of metadata samples per send.\n\nIt requires Prometheus >= v2.29.0.","type":"integer","format":"int32","minimum":-1},"send":{"description":"send defines whether metric metadata is sent to the remote storage or not.","type":"boolean"},"sendInterval":{"description":"sendInterval defines how frequently metric metadata is sent to the remote storage.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"}}},"name":{"description":"name of the remote write queue, it must be unique if specified. The\nname is used in metrics and logging in order to differentiate queues.\n\nIt requires Prometheus >= v2.15.0 or Thanos >= 0.24.0.","type":"string"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 configuration for the URL.\n\nIt requires Prometheus >= v2.27.0 or Thanos >= v0.24.0.\n\nCannot be set at the same time as `sigv4`, `authorization`, `basicAuth`, or `azureAd`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"queueConfig":{"description":"queueConfig allows tuning of the remote write queue parameters.","type":"object","properties":{"batchSendDeadline":{"description":"batchSendDeadline defines the maximum time a sample will wait in buffer.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"capacity":{"description":"capacity defines the number of samples to buffer per shard before we start\ndropping them.","type":"integer"},"maxBackoff":{"description":"maxBackoff defines the maximum retry delay.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"maxRetries":{"description":"maxRetries defines the maximum number of times to retry a batch on recoverable errors.","type":"integer"},"maxSamplesPerSend":{"description":"maxSamplesPerSend defines the maximum number of samples per send.","type":"integer"},"maxShards":{"description":"maxShards defines the maximum number of shards, i.e. amount of concurrency.","type":"integer"},"minBackoff":{"description":"minBackoff defines the initial retry delay. Gets doubled for every retry.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"minShards":{"description":"minShards defines the minimum number of shards, i.e. amount of concurrency.","type":"integer"},"retryOnRateLimit":{"description":"retryOnRateLimit defines the retry upon receiving a 429 status code from the remote-write storage.\n\nThis is an *experimental feature*, it may change in any upcoming release\nin a breaking way.","type":"boolean"},"sampleAgeLimit":{"description":"sampleAgeLimit drops samples older than the limit.\nIt requires Prometheus >= v2.50.0 or Thanos >= v0.32.0.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"}}},"remoteTimeout":{"description":"remoteTimeout defines the timeout for requests to the remote write endpoint.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"roundRobinDNS":{"description":"roundRobinDNS controls the DNS resolution behavior for remote-write connections.\nWhen enabled:\n  - The remote-write mechanism will resolve the hostname via DNS.\n  - It will randomly select one of the resolved IP addresses and connect to it.\n\nWhen disabled (default behavior):\n  - The Go standard library will handle hostname resolution.\n  - It will attempt connections to each resolved IP address sequentially.\n\nNote: The connection timeout applies to the entire resolution and connection process.\n\n\tIf disabled, the timeout is distributed across all connection attempts.\n\nIt requires Prometheus >= v3.1.0 or Thanos >= v0.38.0.","type":"boolean"},"sendExemplars":{"description":"sendExemplars enables sending of exemplars over remote write. Note that\nexemplar-storage itself must be enabled using the `spec.enableFeatures`\noption for exemplars to be scraped in the first place.\n\nIt requires Prometheus >= v2.27.0 or Thanos >= v0.24.0.","type":"boolean"},"sendNativeHistograms":{"description":"sendNativeHistograms enables sending of native histograms, also known as sparse histograms\nover remote write.\n\nIt requires Prometheus >= v2.40.0 or Thanos >= v0.30.0.","type":"boolean"},"sigv4":{"description":"sigv4 defines the AWS's Signature Verification 4 for the URL.\n\nIt requires Prometheus >= v2.26.0 or Thanos >= v0.24.0.\n\nCannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `azureAd`.","type":"object","properties":{"accessKey":{"description":"accessKey defines the AWS API key. If not specified, the environment variable\n`AWS_ACCESS_KEY_ID` is used.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"profile":{"description":"profile defines the named AWS profile used to authenticate.","type":"string"},"region":{"description":"region defines the AWS region. If blank, the region from the default credentials chain used.","type":"string"},"roleArn":{"description":"roleArn defines the named AWS profile used to authenticate.","type":"string"},"secretKey":{"description":"secretKey defines the AWS API secret. If not specified, the environment\nvariable `AWS_SECRET_ACCESS_KEY` is used.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"useFIPSSTSEndpoint":{"description":"useFIPSSTSEndpoint defines the FIPS mode for the AWS STS endpoint.\nIt requires Prometheus >= v2.54.0.","type":"boolean"}}},"tlsConfig":{"description":"tlsConfig to use for the URL.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"caFile":{"description":"caFile defines the path to the CA cert in the Prometheus container to use for the targets.","type":"string"},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the client cert file in the Prometheus container for the targets.","type":"string"},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keyFile":{"description":"keyFile defines the path to the client key file in the Prometheus container for the targets.","type":"string"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"url":{"description":"url defines the URL of the endpoint to send samples to.","type":"string","minLength":1},"writeRelabelConfigs":{"description":"writeRelabelConfigs defines the list of remote write relabel configurations.","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}}}}},"replicas":{"description":"replicas defines the number of thanos ruler instances to deploy.","type":"integer","format":"int32"},"resendDelay":{"description":"resendDelay defines the minimum amount of time to wait before resending an alert to Alertmanager.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"resources":{"description":"resources defines the resource requirements for single Pods.\nIf not provided, no requests/limits will be set","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"retention":{"description":"retention defines the time duration ThanosRuler shall retain data for. Default is '24h', and\nmust match the regular expression `[0-9]+(ms|s|m|h|d|w|y)` (milliseconds\nseconds minutes hours days weeks years).\n\nThe field has no effect when remote-write is configured since the Ruler\noperates in stateless mode.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"routePrefix":{"description":"routePrefix defines the route prefix ThanosRuler registers HTTP handlers for. This allows thanos UI to be served on a sub-path.","type":"string"},"ruleConcurrentEval":{"description":"ruleConcurrentEval defines how many rules can be evaluated concurrently.\nIt requires Thanos >= v0.37.0.","type":"integer","format":"int32","minimum":1},"ruleGracePeriod":{"description":"ruleGracePeriod defines the minimum duration between alert and restored \"for\" state.\nThis is maintained only for alerts with configured \"for\" time greater than grace period.\nIt requires Thanos >= v0.30.0.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"ruleNamespaceSelector":{"description":"ruleNamespaceSelector defines the namespaces to be selected for Rules discovery. If unspecified, only\nthe same namespace as the ThanosRuler object is in is used.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"ruleOutageTolerance":{"description":"ruleOutageTolerance defines the max time to tolerate prometheus outage for restoring \"for\" state of alert.\nIt requires Thanos >= v0.30.0.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"ruleQueryOffset":{"description":"ruleQueryOffset defines the default rule group's query offset duration to use.\nIt requires Thanos >= v0.38.0.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"ruleSelector":{"description":"ruleSelector defines the PrometheusRule objects to be selected for rule evaluation. An empty\nlabel selector matches all objects. A null label selector matches no\nobjects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"securityContext":{"description":"securityContext defines the pod-level security attributes and common container settings.\nThis defaults to the default PodSecurityContext.","type":"object","properties":{"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".","type":"string"},"type":{"description":"type indicates which kind of AppArmor profile will be applied.\nValid options are:\n  Localhost - a profile pre-loaded on the node.\n  RuntimeDefault - the container runtime's default profile.\n  Unconfined - no AppArmor enforcement.","type":"string"}}},"fsGroup":{"description":"A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"fsGroupChangePolicy":{"description":"fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxChangePolicy":{"description":"seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.\nIt has no effect on nodes that do not support SELinux or to volumes does not support SELinux.\nValid values are \"MountOption\" and \"Recursive\".\n\n\"Recursive\" means relabeling of all files on all Pod volumes by the container runtime.\nThis may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.\n\n\"MountOption\" mounts all eligible Pod volumes with `-o context` mount option.\nThis requires all Pods that share the same volume to use the same SELinux label.\nIt is not possible to share the same volume among privileged and unprivileged Pods.\nEligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes\nwhose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their\nCSIDriver instance. Other volumes are always re-labelled recursively.\n\"MountOption\" value is allowed only when SELinuxMount feature gate is enabled.\n\nIf not specified and SELinuxMount feature gate is enabled, \"MountOption\" is used.\nIf not specified and SELinuxMount feature gate is disabled, \"MountOption\" is used for ReadWriteOncePod volumes\nand \"Recursive\" for all other volumes.\n\nThis field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.\n\nAll Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"seLinuxOptions":{"description":"The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in SecurityContext.  If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"supplementalGroups":{"description":"A list of groups applied to the first process run in each container, in\naddition to the container's primary GID and fsGroup (if specified).  If\nthe SupplementalGroupsPolicy feature is enabled, the\nsupplementalGroupsPolicy field determines whether these are in addition\nto or instead of any group memberships defined in the container image.\nIf unspecified, no additional groups are added, though group memberships\ndefined in the container image may still be used, depending on the\nsupplementalGroupsPolicy field.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"type":"integer","format":"int64"},"x-kubernetes-list-type":"atomic"},"supplementalGroupsPolicy":{"description":"Defines how supplemental groups of the first container processes are calculated.\nValid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used.\n(Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled\nand the container runtime must implement support for this feature.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"sysctls":{"description":"Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"description":"Sysctl defines a kernel parameter to be set","type":"object","required":["name","value"],"properties":{"name":{"description":"Name of a property to set","type":"string"},"value":{"description":"Value of a property to set","type":"string"}}},"x-kubernetes-list-type":"atomic"},"windowsOptions":{"description":"The Windows specific settings applied to all containers.\nIf unspecified, the options within a container's SecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.","type":"object","properties":{"gmsaCredentialSpec":{"description":"GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.","type":"string"},"gmsaCredentialSpecName":{"description":"GMSACredentialSpecName is the name of the GMSA credential spec to use.","type":"string"},"hostProcess":{"description":"HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.","type":"boolean"},"runAsUserName":{"description":"The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"string"}}}}},"serviceAccountName":{"description":"serviceAccountName defines the name of the ServiceAccount to use to run the\nThanos Ruler Pods.","type":"string"},"serviceName":{"description":"serviceName defines the name of the service name used by the underlying StatefulSet(s) as the governing service.\nIf defined, the Service  must be created before the ThanosRuler resource in the same namespace and it must define a selector that matches the pod labels.\nIf empty, the operator will create and manage a headless service named `thanos-ruler-operated` for ThanosRuler resources.\nWhen deploying multiple ThanosRuler resources in the same namespace, it is recommended to specify a different value for each.\nSee https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-network-id for more details.","type":"string","minLength":1},"storage":{"description":"storage defines the specification of how storage shall be used.","type":"object","properties":{"disableMountSubPath":{"description":"disableMountSubPath deprecated: subPath usage will be removed in a future release.","type":"boolean"},"emptyDir":{"description":"emptyDir to be used by the StatefulSet.\nIf specified, it takes precedence over `ephemeral` and `volumeClaimTemplate`.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir","type":"object","properties":{"medium":{"description":"medium represents what type of storage medium should back this directory.\nThe default is \"\" which means to use the node's default medium.\nMust be an empty string (default) or Memory.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","type":"string"},"sizeLimit":{"description":"sizeLimit is the total amount of local storage required for this EmptyDir volume.\nThe size limit is also applicable for memory medium.\nThe maximum usage on memory medium EmptyDir would be the minimum value between\nthe SizeLimit specified here and the sum of memory limits of all containers in a pod.\nThe default is nil which means that the limit is undefined.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"ephemeral":{"description":"ephemeral to be used by the StatefulSet.\nThis is a beta field in k8s 1.21 and GA in 1.15.\nFor lower versions, starting with k8s 1.19, it requires enabling the GenericEphemeralVolume feature gate.\nMore info: https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes","type":"object","properties":{"volumeClaimTemplate":{"description":"Will be used to create a stand-alone PVC to provision the volume.\nThe pod in which this EphemeralVolumeSource is embedded will be the\nowner of the PVC, i.e. the PVC will be deleted together with the\npod.  The name of the PVC will be `<pod name>-<volume name>` where\n`<volume name>` is the name from the `PodSpec.Volumes` array\nentry. Pod validation will reject the pod if the concatenated name\nis not valid for a PVC (for example, too long).\n\nAn existing PVC with that name that is not owned by the pod\nwill *not* be used for the pod to avoid using an unrelated\nvolume by mistake. Starting the pod is then blocked until\nthe unrelated PVC is removed. If such a pre-created PVC is\nmeant to be used by the pod, the PVC has to updated with an\nowner reference to the pod once the pod exists. Normally\nthis should not be necessary, but it may be useful when\nmanually reconstructing a broken cluster.\n\nThis field is read-only and no changes will be made by Kubernetes\nto the PVC after it has been created.\n\nRequired, must not be nil.","type":"object","required":["spec"],"properties":{"metadata":{"description":"May contain labels and annotations that will be copied into the PVC\nwhen creating it. No other fields are allowed and will be rejected during\nvalidation.","type":"object"},"spec":{"description":"The specification for the PersistentVolumeClaim. The entire content is\ncopied unchanged into the PVC that gets created from this\ntemplate. The same fields as in a PersistentVolumeClaim\nare also valid here.","type":"object","properties":{"accessModes":{"description":"accessModes contains the desired access modes the volume should have.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"description":"dataSource field can be used to specify either:\n* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)\n* An existing PVC (PersistentVolumeClaim)\nIf the provisioner or an external controller can support the specified data source,\nit will create a new volume based on the contents of the specified data source.\nWhen the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,\nand dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.\nIf the namespace is specified, then dataSourceRef will not be copied to dataSource.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"description":"dataSourceRef specifies the object from which to populate the volume with data, if a non-empty\nvolume is desired. This may be any object from a non-empty API group (non\ncore object) or a PersistentVolumeClaim object.\nWhen this field is specified, volume binding will only succeed if the type of\nthe specified object matches some installed volume populator or dynamic\nprovisioner.\nThis field will replace the functionality of the dataSource field and as such\nif both fields are non-empty, they must have the same value. For backwards\ncompatibility, when namespace isn't specified in dataSourceRef,\nboth fields (dataSource and dataSourceRef) will be set to the same\nvalue automatically if one of them is empty and the other is non-empty.\nWhen namespace is specified in dataSourceRef,\ndataSource isn't set to the same value and must be empty.\nThere are three important differences between dataSource and dataSourceRef:\n* While dataSource only allows two specific types of objects, dataSourceRef\n  allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n  preserves all values, and generates an error if a disallowed value is\n  specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n  in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.\n(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"},"namespace":{"description":"Namespace is the namespace of resource being referenced\nNote that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.\n(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"string"}}},"resources":{"description":"resources represents the minimum resources the volume should have.\nIf RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements\nthat are lower than previous value but must still be higher than capacity recorded in the\nstatus field of the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources","type":"object","properties":{"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"description":"selector is a label query over volumes to consider for binding.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"description":"storageClassName is the name of the StorageClass required by the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1","type":"string"},"volumeAttributesClassName":{"description":"volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string or nil value indicates that no\nVolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,\nthis field can be reset to its previous value (including nil) to cancel the modification.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/","type":"string"},"volumeMode":{"description":"volumeMode defines what type of volume is required by the claim.\nValue of Filesystem is implied when not included in claim spec.","type":"string"},"volumeName":{"description":"volumeName is the binding reference to the PersistentVolume backing this claim.","type":"string"}}}}}}},"volumeClaimTemplate":{"description":"volumeClaimTemplate defines the PVC spec to be used by the Prometheus StatefulSets.\nThe easiest way to use a volume that cannot be automatically provisioned\nis to use a label selector alongside manually created PersistentVolumes.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"metadata defines EmbeddedMetadata contains metadata relevant to an EmbeddedResource.","type":"object","properties":{"annotations":{"description":"annotations defines an unstructured key value map stored with a resource that may be\nset by external tools to store and retrieve arbitrary metadata. They are not\nqueryable and should be preserved when modifying objects.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"labels define the map of string keys and values that can be used to organize and categorize\n(scope and select) objects. May match selectors of replication controllers\nand services.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/","type":"string"}}},"spec":{"description":"spec defines the specification of the  characteristics of a volume requested by a pod author.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"object","properties":{"accessModes":{"description":"accessModes contains the desired access modes the volume should have.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"description":"dataSource field can be used to specify either:\n* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)\n* An existing PVC (PersistentVolumeClaim)\nIf the provisioner or an external controller can support the specified data source,\nit will create a new volume based on the contents of the specified data source.\nWhen the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,\nand dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.\nIf the namespace is specified, then dataSourceRef will not be copied to dataSource.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"description":"dataSourceRef specifies the object from which to populate the volume with data, if a non-empty\nvolume is desired. This may be any object from a non-empty API group (non\ncore object) or a PersistentVolumeClaim object.\nWhen this field is specified, volume binding will only succeed if the type of\nthe specified object matches some installed volume populator or dynamic\nprovisioner.\nThis field will replace the functionality of the dataSource field and as such\nif both fields are non-empty, they must have the same value. For backwards\ncompatibility, when namespace isn't specified in dataSourceRef,\nboth fields (dataSource and dataSourceRef) will be set to the same\nvalue automatically if one of them is empty and the other is non-empty.\nWhen namespace is specified in dataSourceRef,\ndataSource isn't set to the same value and must be empty.\nThere are three important differences between dataSource and dataSourceRef:\n* While dataSource only allows two specific types of objects, dataSourceRef\n  allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n  preserves all values, and generates an error if a disallowed value is\n  specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n  in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.\n(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"},"namespace":{"description":"Namespace is the namespace of resource being referenced\nNote that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.\n(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"string"}}},"resources":{"description":"resources represents the minimum resources the volume should have.\nIf RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements\nthat are lower than previous value but must still be higher than capacity recorded in the\nstatus field of the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources","type":"object","properties":{"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"description":"selector is a label query over volumes to consider for binding.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"description":"storageClassName is the name of the StorageClass required by the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1","type":"string"},"volumeAttributesClassName":{"description":"volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string or nil value indicates that no\nVolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,\nthis field can be reset to its previous value (including nil) to cancel the modification.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/","type":"string"},"volumeMode":{"description":"volumeMode defines what type of volume is required by the claim.\nValue of Filesystem is implied when not included in claim spec.","type":"string"},"volumeName":{"description":"volumeName is the binding reference to the PersistentVolume backing this claim.","type":"string"}}},"status":{"description":"status is deprecated: this field is never set.","type":"object","properties":{"accessModes":{"description":"accessModes contains the actual access modes the volume backing the PVC has.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"allocatedResourceStatuses":{"description":"allocatedResourceStatuses stores status of resource being resized for the given PVC.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.","type":"object","additionalProperties":{"description":"When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource\nthat it does not recognizes, then it should ignore that update and let other controllers\nhandle it.","type":"string"},"x-kubernetes-map-type":"granular"},"allocatedResources":{"description":"allocatedResources tracks the resources allocated to a PVC including its capacity.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation\nis requested.\nFor storage quota, the larger value from allocatedResources and PVC.spec.resources is used.\nIf allocatedResources is not set, PVC.spec.resources alone is used for quota calculation.\nIf a volume expansion capacity request is lowered, allocatedResources is only\nlowered if there are no expansion operations in progress and if the actual volume capacity\nis equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"capacity":{"description":"capacity represents the actual resources of the underlying volume.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"conditions":{"description":"conditions is the current Condition of persistent volume claim. If underlying persistent volume is being\nresized then the Condition will be set to 'Resizing'.","type":"array","items":{"description":"PersistentVolumeClaimCondition contains details about state of pvc","type":"object","required":["status","type"],"properties":{"lastProbeTime":{"description":"lastProbeTime is the time we probed the condition.","type":"string","format":"date-time"},"lastTransitionTime":{"description":"lastTransitionTime is the time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"message is the human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"reason is a unique, this should be a short, machine understandable string that gives the reason\nfor condition's last transition. If it reports \"Resizing\" that means the underlying\npersistent volume is being resized.","type":"string"},"status":{"description":"Status is the status of the condition.\nCan be True, False, Unknown.\nMore info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=state%20of%20pvc-,conditions.status,-(string)%2C%20required","type":"string"},"type":{"description":"Type is the type of the condition.\nMore info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=set%20to%20%27ResizeStarted%27.-,PersistentVolumeClaimCondition,-contains%20details%20about","type":"string"}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"currentVolumeAttributesClassName":{"description":"currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.\nWhen unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim","type":"string"},"modifyVolumeStatus":{"description":"ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.\nWhen this is unset, there is no ModifyVolume operation being attempted.","type":"object","required":["status"],"properties":{"status":{"description":"status is the status of the ControllerModifyVolume operation. It can be in any of following states:\n - Pending\n   Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as\n   the specified VolumeAttributesClass not existing.\n - InProgress\n   InProgress indicates that the volume is being modified.\n - Infeasible\n  Infeasible indicates that the request has been rejected as invalid by the CSI driver. To\n\t  resolve the error, a valid VolumeAttributesClass needs to be specified.\nNote: New statuses can be added in the future. Consumers should check for unknown statuses and fail appropriately.","type":"string"},"targetVolumeAttributesClassName":{"description":"targetVolumeAttributesClassName is the name of the VolumeAttributesClass the PVC currently being reconciled","type":"string"}}},"phase":{"description":"phase represents the current phase of PersistentVolumeClaim.","type":"string"}}}}}}},"terminationGracePeriodSeconds":{"description":"terminationGracePeriodSeconds defines the optional duration in seconds the pod needs to terminate gracefully.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down) which may lead to data corruption.\n\nDefaults to 120 seconds.","type":"integer","format":"int64","minimum":0},"tolerations":{"description":"tolerations defines when specified, the pod's tolerations.","type":"array","items":{"description":"The pod this Toleration is attached to tolerates any taint that matches\nthe triple <key,value,effect> using the matching operator <operator>.","type":"object","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.","type":"string"},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.","type":"string"},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.","type":"integer","format":"int64"},"value":{"description":"Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.","type":"string"}}}},"topologySpreadConstraints":{"description":"topologySpreadConstraints defines the pod's topology spread constraints.","type":"array","items":{"description":"TopologySpreadConstraint specifies how to spread matching pods among the given topology.","type":"object","required":["maxSkew","topologyKey","whenUnsatisfiable"],"properties":{"labelSelector":{"description":"LabelSelector is used to find matching pods.\nPods that match this label selector are counted to determine the number of pods\nin their corresponding topology domain.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select the pods over which\nspreading will be calculated. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are ANDed with labelSelector\nto select the group of existing pods over which spreading will be calculated\nfor the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.\nMatchLabelKeys cannot be set when LabelSelector isn't set.\nKeys that don't exist in the incoming pod labels will\nbe ignored. A null or empty list means only match against labelSelector.\n\nThis is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"maxSkew":{"description":"MaxSkew describes the degree to which pods may be unevenly distributed.\nWhen `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference\nbetween the number of matching pods in the target topology and the global minimum.\nThe global minimum is the minimum number of matching pods in an eligible domain\nor zero if the number of eligible domains is less than MinDomains.\nFor example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same\nlabelSelector spread as 2/2/1:\nIn this case, the global minimum is 1.\n| zone1 | zone2 | zone3 |\n|  P P  |  P P  |   P   |\n- if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;\nscheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)\nviolate MaxSkew(1).\n- if MaxSkew is 2, incoming pod can be scheduled onto any zone.\nWhen `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence\nto topologies that satisfy it.\nIt's a required field. Default value is 1 and 0 is not allowed.","type":"integer","format":"int32"},"minDomains":{"description":"MinDomains indicates a minimum number of eligible domains.\nWhen the number of eligible domains with matching topology keys is less than minDomains,\nPod Topology Spread treats \"global minimum\" as 0, and then the calculation of Skew is performed.\nAnd when the number of eligible domains with matching topology keys equals or greater than minDomains,\nthis value has no effect on scheduling.\nAs a result, when the number of eligible domains is less than minDomains,\nscheduler won't schedule more than maxSkew Pods to those domains.\nIf value is nil, the constraint behaves as if MinDomains is equal to 1.\nValid values are integers greater than 0.\nWhen value is not nil, WhenUnsatisfiable must be DoNotSchedule.\n\nFor example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same\nlabelSelector spread as 2/2/2:\n| zone1 | zone2 | zone3 |\n|  P P  |  P P  |  P P  |\nThe number of domains is less than 5(MinDomains), so \"global minimum\" is treated as 0.\nIn this situation, new pod with the same labelSelector cannot be scheduled,\nbecause computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,\nit will violate MaxSkew.","type":"integer","format":"int32"},"nodeAffinityPolicy":{"description":"NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector\nwhen calculating pod topology spread skew. Options are:\n- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.\n- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.\n\nIf this value is nil, the behavior is equivalent to the Honor policy.","type":"string"},"nodeTaintsPolicy":{"description":"NodeTaintsPolicy indicates how we will treat node taints when calculating\npod topology spread skew. Options are:\n- Honor: nodes without taints, along with tainted nodes for which the incoming pod\nhas a toleration, are included.\n- Ignore: node taints are ignored. All nodes are included.\n\nIf this value is nil, the behavior is equivalent to the Ignore policy.","type":"string"},"topologyKey":{"description":"TopologyKey is the key of node labels. Nodes that have a label with this key\nand identical values are considered to be in the same topology.\nWe consider each <key, value> as a \"bucket\", and try to put balanced number\nof pods into each bucket.\nWe define a domain as a particular instance of a topology.\nAlso, we define an eligible domain as a domain whose nodes meet the requirements of\nnodeAffinityPolicy and nodeTaintsPolicy.\ne.g. If TopologyKey is \"kubernetes.io/hostname\", each Node is a domain of that topology.\nAnd, if TopologyKey is \"topology.kubernetes.io/zone\", each zone is a domain of that topology.\nIt's a required field.","type":"string"},"whenUnsatisfiable":{"description":"WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy\nthe spread constraint.\n- DoNotSchedule (default) tells the scheduler not to schedule it.\n- ScheduleAnyway tells the scheduler to schedule the pod in any location,\n  but giving higher precedence to topologies that would help reduce the\n  skew.\nA constraint is considered \"Unsatisfiable\" for an incoming pod\nif and only if every possible node assignment for that pod would violate\n\"MaxSkew\" on some topology.\nFor example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same\nlabelSelector spread as 3/1/1:\n| zone1 | zone2 | zone3 |\n| P P P |   P   |   P   |\nIf WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled\nto zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies\nMaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler\nwon't make it *more* imbalanced.\nIt's a required field.","type":"string"}}}},"tracingConfig":{"description":"tracingConfig defines the tracing configuration.\n\nThe configuration format is defined at https://thanos.io/tip/thanos/tracing.md/#configuration\n\nThis is an *experimental feature*, it may change in any upcoming release\nin a breaking way.\n\nThe operator performs no validation of the configuration.\n\n`tracingConfigFile` takes precedence over this field.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"tracingConfigFile":{"description":"tracingConfigFile defines the path of the tracing configuration file.\n\nThe configuration format is defined at https://thanos.io/tip/thanos/tracing.md/#configuration\n\nThis is an *experimental feature*, it may change in any upcoming release\nin a breaking way.\n\nThe operator performs no validation of the configuration file.\n\nThis field takes precedence over `tracingConfig`.","type":"string"},"updateStrategy":{"description":"updateStrategy indicates the strategy that will be employed to update\nPods in the StatefulSet when a revision is made to statefulset's Pod\nTemplate.\n\nThe default strategy is RollingUpdate.","type":"object","required":["type"],"properties":{"rollingUpdate":{"description":"rollingUpdate is used to communicate parameters when type is RollingUpdate.","type":"object","properties":{"maxUnavailable":{"description":"maxUnavailable is the maximum number of pods that can be unavailable\nduring the update. The value can be an absolute number (ex: 5) or a\npercentage of desired pods (ex: 10%). Absolute number is calculated from\npercentage by rounding up. This can not be 0.  Defaults to 1. This field\nis alpha-level and is only honored by servers that enable the\nMaxUnavailableStatefulSet feature. The field applies to all pods in the\nrange 0 to Replicas-1.  That means if there is any unavailable pod in\nthe range 0 to Replicas-1, it will be counted towards MaxUnavailable.","x-kubernetes-int-or-string":true}}},"type":{"description":"type indicates the type of the StatefulSetUpdateStrategy.\n\nDefault is RollingUpdate.","type":"string","enum":["OnDelete","RollingUpdate"]}},"x-kubernetes-validations":[{"message":"rollingUpdate requires type to be RollingUpdate","rule":"!(self.type != 'RollingUpdate' && has(self.rollingUpdate))"}]},"version":{"description":"version of Thanos to be deployed.","type":"string"},"volumeMounts":{"description":"volumeMounts defines how the configuration of additional VolumeMounts on the output StatefulSet definition.\nVolumeMounts specified will be appended to other VolumeMounts in the ruler container,\nthat are generated as a result of StorageSpec objects.","type":"array","items":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["mountPath","name"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted.  Must\nnot contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host\nto container and the other way around.\nWhen not set, MountPropagationNone is used.\nThis field is beta in 1.10.\nWhen RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified\n(which defaults to None).","type":"string"},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified).\nDefaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled\nrecursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made\nrecursively read-only.  If this field is set to IfPossible, the mount is made\nrecursively read-only, if it is supported by the container runtime.  If this\nfield is set to Enabled, the mount is made recursively read-only if it is\nsupported by the container runtime, otherwise the pod will not be started and\nan error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to\nNone (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted.\nDefaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted.\nBehaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.\nDefaults to \"\" (volume's root).\nSubPathExpr and SubPath are mutually exclusive.","type":"string"}}}},"volumes":{"description":"volumes defines how configuration of additional volumes on the output StatefulSet definition. Volumes specified will\nbe appended to other volumes that are generated as a result of StorageSpec objects.","type":"array","items":{"description":"Volume represents a named volume in a pod that may be accessed by any container in the pod.","type":"object","required":["name"],"properties":{"awsElasticBlockStore":{"description":"awsElasticBlockStore represents an AWS Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nDeprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree\nawsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"string"},"partition":{"description":"partition is the partition in the volume that you want to mount.\nIf omitted, the default is to mount by volume name.\nExamples: For volume /dev/sda1, you specify the partition as \"1\".\nSimilarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).","type":"integer","format":"int32"},"readOnly":{"description":"readOnly value true will force the readOnly setting in VolumeMounts.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"boolean"},"volumeID":{"description":"volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"string"}}},"azureDisk":{"description":"azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.\nDeprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type\nare redirected to the disk.csi.azure.com CSI driver.","type":"object","required":["diskName","diskURI"],"properties":{"cachingMode":{"description":"cachingMode is the Host Caching mode: None, Read Only, Read Write.","type":"string"},"diskName":{"description":"diskName is the Name of the data disk in the blob storage","type":"string"},"diskURI":{"description":"diskURI is the URI of data disk in the blob storage","type":"string"},"fsType":{"description":"fsType is Filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"kind":{"description":"kind expected values are Shared: multiple blob disks per storage account  Dedicated: single blob disk per storage account  Managed: azure managed data disk (only in managed availability set). defaults to shared","type":"string"},"readOnly":{"description":"readOnly Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"}}},"azureFile":{"description":"azureFile represents an Azure File Service mount on the host and bind mount to the pod.\nDeprecated: AzureFile is deprecated. All operations for the in-tree azureFile type\nare redirected to the file.csi.azure.com CSI driver.","type":"object","required":["secretName","shareName"],"properties":{"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretName":{"description":"secretName is the  name of secret that contains Azure Storage Account Name and Key","type":"string"},"shareName":{"description":"shareName is the azure share Name","type":"string"}}},"cephfs":{"description":"cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.\nDeprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.","type":"object","required":["monitors"],"properties":{"monitors":{"description":"monitors is Required: Monitors is a collection of Ceph monitors\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"path":{"description":"path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /","type":"string"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"boolean"},"secretFile":{"description":"secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"},"secretRef":{"description":"secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"description":"user is optional: User is the rados user name, default is admin\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"}}},"cinder":{"description":"cinder represents a cinder volume attached and mounted on kubelets host machine.\nDeprecated: Cinder is deprecated. All operations for the in-tree cinder type\nare redirected to the cinder.csi.openstack.org CSI driver.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"boolean"},"secretRef":{"description":"secretRef is optional: points to a secret object containing parameters used to connect\nto OpenStack.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeID":{"description":"volumeID used to identify the volume in cinder.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"}}},"configMap":{"description":"configMap represents a configMap that should populate this volume","type":"object","properties":{"defaultMode":{"description":"defaultMode is optional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDefaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced\nConfigMap will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the ConfigMap,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional specify whether the ConfigMap or its keys must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"csi":{"description":"csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.","type":"object","required":["driver"],"properties":{"driver":{"description":"driver is the name of the CSI driver that handles this volume.\nConsult with your admin for the correct name as registered in the cluster.","type":"string"},"fsType":{"description":"fsType to mount. Ex. \"ext4\", \"xfs\", \"ntfs\".\nIf not provided, the empty value is passed to the associated CSI driver\nwhich will determine the default filesystem to apply.","type":"string"},"nodePublishSecretRef":{"description":"nodePublishSecretRef is a reference to the secret object containing\nsensitive information to pass to the CSI driver to complete the CSI\nNodePublishVolume and NodeUnpublishVolume calls.\nThis field is optional, and  may be empty if no secret is required. If the\nsecret object contains more than one secret, all secret references are passed.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"readOnly":{"description":"readOnly specifies a read-only configuration for the volume.\nDefaults to false (read/write).","type":"boolean"},"volumeAttributes":{"description":"volumeAttributes stores driver-specific properties that are passed to the CSI\ndriver. Consult your driver's documentation for supported values.","type":"object","additionalProperties":{"type":"string"}}}},"downwardAPI":{"description":"downwardAPI represents downward API about the pod that should populate this volume","type":"object","properties":{"defaultMode":{"description":"Optional: mode bits to use on created files by default. Must be a\nOptional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDefaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"Items is a list of downward API volume file","type":"array","items":{"description":"DownwardAPIVolumeFile represents information to create the file containing the pod field","type":"object","required":["path"],"properties":{"fieldRef":{"description":"Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"description":"Optional: mode bits used to set permissions on this file, must be an octal value\nbetween 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'","type":"string"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"emptyDir":{"description":"emptyDir represents a temporary directory that shares a pod's lifetime.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","type":"object","properties":{"medium":{"description":"medium represents what type of storage medium should back this directory.\nThe default is \"\" which means to use the node's default medium.\nMust be an empty string (default) or Memory.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","type":"string"},"sizeLimit":{"description":"sizeLimit is the total amount of local storage required for this EmptyDir volume.\nThe size limit is also applicable for memory medium.\nThe maximum usage on memory medium EmptyDir would be the minimum value between\nthe SizeLimit specified here and the sum of memory limits of all containers in a pod.\nThe default is nil which means that the limit is undefined.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"ephemeral":{"description":"ephemeral represents a volume that is handled by a cluster storage driver.\nThe volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,\nand deleted when the pod is removed.\n\nUse this if:\na) the volume is only needed while the pod runs,\nb) features of normal volumes like restoring from snapshot or capacity\n   tracking are needed,\nc) the storage driver is specified through a storage class, and\nd) the storage driver supports dynamic volume provisioning through\n   a PersistentVolumeClaim (see EphemeralVolumeSource for more\n   information on the connection between this volume type\n   and PersistentVolumeClaim).\n\nUse PersistentVolumeClaim or one of the vendor-specific\nAPIs for volumes that persist for longer than the lifecycle\nof an individual pod.\n\nUse CSI for light-weight local ephemeral volumes if the CSI driver is meant to\nbe used that way - see the documentation of the driver for\nmore information.\n\nA pod can use both types of ephemeral volumes and\npersistent volumes at the same time.","type":"object","properties":{"volumeClaimTemplate":{"description":"Will be used to create a stand-alone PVC to provision the volume.\nThe pod in which this EphemeralVolumeSource is embedded will be the\nowner of the PVC, i.e. the PVC will be deleted together with the\npod.  The name of the PVC will be `<pod name>-<volume name>` where\n`<volume name>` is the name from the `PodSpec.Volumes` array\nentry. Pod validation will reject the pod if the concatenated name\nis not valid for a PVC (for example, too long).\n\nAn existing PVC with that name that is not owned by the pod\nwill *not* be used for the pod to avoid using an unrelated\nvolume by mistake. Starting the pod is then blocked until\nthe unrelated PVC is removed. If such a pre-created PVC is\nmeant to be used by the pod, the PVC has to updated with an\nowner reference to the pod once the pod exists. Normally\nthis should not be necessary, but it may be useful when\nmanually reconstructing a broken cluster.\n\nThis field is read-only and no changes will be made by Kubernetes\nto the PVC after it has been created.\n\nRequired, must not be nil.","type":"object","required":["spec"],"properties":{"metadata":{"description":"May contain labels and annotations that will be copied into the PVC\nwhen creating it. No other fields are allowed and will be rejected during\nvalidation.","type":"object"},"spec":{"description":"The specification for the PersistentVolumeClaim. The entire content is\ncopied unchanged into the PVC that gets created from this\ntemplate. The same fields as in a PersistentVolumeClaim\nare also valid here.","type":"object","properties":{"accessModes":{"description":"accessModes contains the desired access modes the volume should have.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"description":"dataSource field can be used to specify either:\n* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)\n* An existing PVC (PersistentVolumeClaim)\nIf the provisioner or an external controller can support the specified data source,\nit will create a new volume based on the contents of the specified data source.\nWhen the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,\nand dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.\nIf the namespace is specified, then dataSourceRef will not be copied to dataSource.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"description":"dataSourceRef specifies the object from which to populate the volume with data, if a non-empty\nvolume is desired. This may be any object from a non-empty API group (non\ncore object) or a PersistentVolumeClaim object.\nWhen this field is specified, volume binding will only succeed if the type of\nthe specified object matches some installed volume populator or dynamic\nprovisioner.\nThis field will replace the functionality of the dataSource field and as such\nif both fields are non-empty, they must have the same value. For backwards\ncompatibility, when namespace isn't specified in dataSourceRef,\nboth fields (dataSource and dataSourceRef) will be set to the same\nvalue automatically if one of them is empty and the other is non-empty.\nWhen namespace is specified in dataSourceRef,\ndataSource isn't set to the same value and must be empty.\nThere are three important differences between dataSource and dataSourceRef:\n* While dataSource only allows two specific types of objects, dataSourceRef\n  allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n  preserves all values, and generates an error if a disallowed value is\n  specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n  in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.\n(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"},"namespace":{"description":"Namespace is the namespace of resource being referenced\nNote that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.\n(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"string"}}},"resources":{"description":"resources represents the minimum resources the volume should have.\nIf RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements\nthat are lower than previous value but must still be higher than capacity recorded in the\nstatus field of the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources","type":"object","properties":{"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"description":"selector is a label query over volumes to consider for binding.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"description":"storageClassName is the name of the StorageClass required by the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1","type":"string"},"volumeAttributesClassName":{"description":"volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string or nil value indicates that no\nVolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,\nthis field can be reset to its previous value (including nil) to cancel the modification.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/","type":"string"},"volumeMode":{"description":"volumeMode defines what type of volume is required by the claim.\nValue of Filesystem is implied when not included in claim spec.","type":"string"},"volumeName":{"description":"volumeName is the binding reference to the PersistentVolume backing this claim.","type":"string"}}}}}}},"fc":{"description":"fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.","type":"object","properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"lun":{"description":"lun is Optional: FC target lun number","type":"integer","format":"int32"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"targetWWNs":{"description":"targetWWNs is Optional: FC target worldwide names (WWNs)","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"wwids":{"description":"wwids Optional: FC volume world wide identifiers (wwids)\nEither wwids or combination of targetWWNs and lun must be set, but not both simultaneously.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"flexVolume":{"description":"flexVolume represents a generic volume resource that is\nprovisioned/attached using an exec based plugin.\nDeprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.","type":"object","required":["driver"],"properties":{"driver":{"description":"driver is the name of the driver to use for this volume.","type":"string"},"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script.","type":"string"},"options":{"description":"options is Optional: this field holds extra command options if any.","type":"object","additionalProperties":{"type":"string"}},"readOnly":{"description":"readOnly is Optional: defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef is Optional: secretRef is reference to the secret object containing\nsensitive information to pass to the plugin scripts. This may be\nempty if no secret object is specified. If the secret object\ncontains more than one secret, all secrets are passed to the plugin\nscripts.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}}},"flocker":{"description":"flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.\nDeprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.","type":"object","properties":{"datasetName":{"description":"datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker\nshould be considered as deprecated","type":"string"},"datasetUUID":{"description":"datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset","type":"string"}}},"gcePersistentDisk":{"description":"gcePersistentDisk represents a GCE Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nDeprecated: GCEPersistentDisk is deprecated. All operations for the in-tree\ngcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"object","required":["pdName"],"properties":{"fsType":{"description":"fsType is filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"string"},"partition":{"description":"partition is the partition in the volume that you want to mount.\nIf omitted, the default is to mount by volume name.\nExamples: For volume /dev/sda1, you specify the partition as \"1\".\nSimilarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"integer","format":"int32"},"pdName":{"description":"pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"boolean"}}},"gitRepo":{"description":"gitRepo represents a git repository at a particular revision.\nDeprecated: GitRepo is deprecated. To provision a container with a git repo, mount an\nEmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir\ninto the Pod's container.","type":"object","required":["repository"],"properties":{"directory":{"description":"directory is the target directory name.\nMust not contain or start with '..'.  If '.' is supplied, the volume directory will be the\ngit repository.  Otherwise, if specified, the volume will contain the git repository in\nthe subdirectory with the given name.","type":"string"},"repository":{"description":"repository is the URL","type":"string"},"revision":{"description":"revision is the commit hash for the specified revision.","type":"string"}}},"glusterfs":{"description":"glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.\nDeprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.","type":"object","required":["endpoints","path"],"properties":{"endpoints":{"description":"endpoints is the endpoint name that details Glusterfs topology.","type":"string"},"path":{"description":"path is the Glusterfs volume path.\nMore info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"string"},"readOnly":{"description":"readOnly here will force the Glusterfs volume to be mounted with read-only permissions.\nDefaults to false.\nMore info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"boolean"}}},"hostPath":{"description":"hostPath represents a pre-existing file or directory on the host\nmachine that is directly exposed to the container. This is generally\nused for system agents or other privileged things that are allowed\nto see the host machine. Most containers will NOT need this.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"object","required":["path"],"properties":{"path":{"description":"path of the directory on the host.\nIf the path is a symlink, it will follow the link to the real path.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"string"},"type":{"description":"type for HostPath Volume\nDefaults to \"\"\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"string"}}},"image":{"description":"image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.\nThe volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.\n- Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.\n- IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.\nA failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.\nThe types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.\nThe OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.\nThe volume will be mounted read-only (ro) and non-executable files (noexec).\nSub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.\nThe field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.","type":"object","properties":{"pullPolicy":{"description":"Policy for pulling OCI objects. Possible values are:\nAlways: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.\nNever: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.\nIfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\nDefaults to Always if :latest tag is specified, or IfNotPresent otherwise.","type":"string"},"reference":{"description":"Required: Image or artifact reference to be used.\nBehaves in the same way as pod.spec.containers[*].image.\nPull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.\nMore info: https://kubernetes.io/docs/concepts/containers/images\nThis field is optional to allow higher level config management to default or override\ncontainer images in workload controllers like Deployments and StatefulSets.","type":"string"}}},"iscsi":{"description":"iscsi represents an ISCSI Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi","type":"object","required":["iqn","lun","targetPortal"],"properties":{"chapAuthDiscovery":{"description":"chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication","type":"boolean"},"chapAuthSession":{"description":"chapAuthSession defines whether support iSCSI Session CHAP authentication","type":"boolean"},"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi","type":"string"},"initiatorName":{"description":"initiatorName is the custom iSCSI Initiator Name.\nIf initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface\n<target portal>:<volume name> will be created for the connection.","type":"string"},"iqn":{"description":"iqn is the target iSCSI Qualified Name.","type":"string"},"iscsiInterface":{"description":"iscsiInterface is the interface Name that uses an iSCSI transport.\nDefaults to 'default' (tcp).","type":"string"},"lun":{"description":"lun represents iSCSI Target Lun number.","type":"integer","format":"int32"},"portals":{"description":"portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port\nis other than default (typically TCP ports 860 and 3260).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false.","type":"boolean"},"secretRef":{"description":"secretRef is the CHAP Secret for iSCSI target and initiator authentication","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"targetPortal":{"description":"targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port\nis other than default (typically TCP ports 860 and 3260).","type":"string"}}},"name":{"description":"name of the volume.\nMust be a DNS_LABEL and unique within the pod.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"nfs":{"description":"nfs represents an NFS mount on the host that shares a pod's lifetime\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"object","required":["path","server"],"properties":{"path":{"description":"path that is exported by the NFS server.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"string"},"readOnly":{"description":"readOnly here will force the NFS export to be mounted with read-only permissions.\nDefaults to false.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"boolean"},"server":{"description":"server is the hostname or IP address of the NFS server.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"string"}}},"persistentVolumeClaim":{"description":"persistentVolumeClaimVolumeSource represents a reference to a\nPersistentVolumeClaim in the same namespace.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"object","required":["claimName"],"properties":{"claimName":{"description":"claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"string"},"readOnly":{"description":"readOnly Will force the ReadOnly setting in VolumeMounts.\nDefault false.","type":"boolean"}}},"photonPersistentDisk":{"description":"photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.\nDeprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.","type":"object","required":["pdID"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"pdID":{"description":"pdID is the ID that identifies Photon Controller persistent disk","type":"string"}}},"portworxVolume":{"description":"portworxVolume represents a portworx volume attached and mounted on kubelets host machine.\nDeprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type\nare redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate\nis on.","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fSType represents the filesystem type to mount\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"volumeID":{"description":"volumeID uniquely identifies a Portworx volume","type":"string"}}},"projected":{"description":"projected items for all in one resources secrets, configmaps, and downward API","type":"object","properties":{"defaultMode":{"description":"defaultMode are the mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"sources":{"description":"sources is the list of volume projections. Each entry in this list\nhandles one source.","type":"array","items":{"description":"Projection that may be projected along with other supported volume types.\nExactly one of these fields must be set.","type":"object","properties":{"clusterTrustBundle":{"description":"ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field\nof ClusterTrustBundle objects in an auto-updating file.\n\nAlpha, gated by the ClusterTrustBundleProjection feature gate.\n\nClusterTrustBundle objects can either be selected by name, or by the\ncombination of signer name and a label selector.\n\nKubelet performs aggressive normalization of the PEM contents written\ninto the pod filesystem.  Esoteric PEM features such as inter-block\ncomments and block headers are stripped.  Certificates are deduplicated.\nThe ordering of certificates within the file is arbitrary, and Kubelet\nmay change the order over time.","type":"object","required":["path"],"properties":{"labelSelector":{"description":"Select all ClusterTrustBundles that match this label selector.  Only has\neffect if signerName is set.  Mutually-exclusive with name.  If unset,\ninterpreted as \"match nothing\".  If set but empty, interpreted as \"match\neverything\".","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"name":{"description":"Select a single ClusterTrustBundle by object name.  Mutually-exclusive\nwith signerName and labelSelector.","type":"string"},"optional":{"description":"If true, don't block pod startup if the referenced ClusterTrustBundle(s)\naren't available.  If using name, then the named ClusterTrustBundle is\nallowed not to exist.  If using signerName, then the combination of\nsignerName and labelSelector is allowed to match zero\nClusterTrustBundles.","type":"boolean"},"path":{"description":"Relative path from the volume root to write the bundle.","type":"string"},"signerName":{"description":"Select all ClusterTrustBundles that match this signer name.\nMutually-exclusive with name.  The contents of all selected\nClusterTrustBundles will be unified and deduplicated.","type":"string"}}},"configMap":{"description":"configMap information about the configMap data to project","type":"object","properties":{"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced\nConfigMap will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the ConfigMap,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional specify whether the ConfigMap or its keys must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"downwardAPI":{"description":"downwardAPI information about the downwardAPI data to project","type":"object","properties":{"items":{"description":"Items is a list of DownwardAPIVolume file","type":"array","items":{"description":"DownwardAPIVolumeFile represents information to create the file containing the pod field","type":"object","required":["path"],"properties":{"fieldRef":{"description":"Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"description":"Optional: mode bits used to set permissions on this file, must be an octal value\nbetween 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'","type":"string"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"podCertificate":{"description":"Projects an auto-rotating credential bundle (private key and certificate\nchain) that the pod can use either as a TLS client or server.\n\nKubelet generates a private key and uses it to send a\nPodCertificateRequest to the named signer.  Once the signer approves the\nrequest and issues a certificate chain, Kubelet writes the key and\ncertificate chain to the pod filesystem.  The pod does not start until\ncertificates have been issued for each podCertificate projected volume\nsource in its spec.\n\nKubelet will begin trying to rotate the certificate at the time indicated\nby the signer using the PodCertificateRequest.Status.BeginRefreshAt\ntimestamp.\n\nKubelet can write a single file, indicated by the credentialBundlePath\nfield, or separate files, indicated by the keyPath and\ncertificateChainPath fields.\n\nThe credential bundle is a single file in PEM format.  The first PEM\nentry is the private key (in PKCS#8 format), and the remaining PEM\nentries are the certificate chain issued by the signer (typically,\nsigners will return their certificate chain in leaf-to-root order).\n\nPrefer using the credential bundle format, since your application code\ncan read it atomically.  If you use keyPath and certificateChainPath,\nyour application must make two separate file reads. If these coincide\nwith a certificate rotation, it is possible that the private key and leaf\ncertificate you read may not correspond to each other.  Your application\nwill need to check for this condition, and re-read until they are\nconsistent.\n\nThe named signer controls chooses the format of the certificate it\nissues; consult the signer implementation's documentation to learn how to\nuse the certificates it issues.","type":"object","required":["keyType","signerName"],"properties":{"certificateChainPath":{"description":"Write the certificate chain at this path in the projected volume.\n\nMost applications should use credentialBundlePath.  When using keyPath\nand certificateChainPath, your application needs to check that the key\nand leaf certificate are consistent, because it is possible to read the\nfiles mid-rotation.","type":"string"},"credentialBundlePath":{"description":"Write the credential bundle at this path in the projected volume.\n\nThe credential bundle is a single file that contains multiple PEM blocks.\nThe first PEM block is a PRIVATE KEY block, containing a PKCS#8 private\nkey.\n\nThe remaining blocks are CERTIFICATE blocks, containing the issued\ncertificate chain from the signer (leaf and any intermediates).\n\nUsing credentialBundlePath lets your Pod's application code make a single\natomic read that retrieves a consistent key and certificate chain.  If you\nproject them to separate files, your application code will need to\nadditionally check that the leaf certificate was issued to the key.","type":"string"},"keyPath":{"description":"Write the key at this path in the projected volume.\n\nMost applications should use credentialBundlePath.  When using keyPath\nand certificateChainPath, your application needs to check that the key\nand leaf certificate are consistent, because it is possible to read the\nfiles mid-rotation.","type":"string"},"keyType":{"description":"The type of keypair Kubelet will generate for the pod.\n\nValid values are \"RSA3072\", \"RSA4096\", \"ECDSAP256\", \"ECDSAP384\",\n\"ECDSAP521\", and \"ED25519\".","type":"string"},"maxExpirationSeconds":{"description":"maxExpirationSeconds is the maximum lifetime permitted for the\ncertificate.\n\nKubelet copies this value verbatim into the PodCertificateRequests it\ngenerates for this projection.\n\nIf omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver\nwill reject values shorter than 3600 (1 hour).  The maximum allowable\nvalue is 7862400 (91 days).\n\nThe signer implementation is then free to issue a certificate with any\nlifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600\nseconds (1 hour).  This constraint is enforced by kube-apiserver.\n`kubernetes.io` signers will never issue certificates with a lifetime\nlonger than 24 hours.","type":"integer","format":"int32"},"signerName":{"description":"Kubelet's generated CSRs will be addressed to this signer.","type":"string"}}},"secret":{"description":"secret information about the secret data to project","type":"object","properties":{"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced\nSecret will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the Secret,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional field specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"serviceAccountToken":{"description":"serviceAccountToken is information about the serviceAccountToken data to project","type":"object","required":["path"],"properties":{"audience":{"description":"audience is the intended audience of the token. A recipient of a token\nmust identify itself with an identifier specified in the audience of the\ntoken, and otherwise should reject the token. The audience defaults to the\nidentifier of the apiserver.","type":"string"},"expirationSeconds":{"description":"expirationSeconds is the requested duration of validity of the service\naccount token. As the token approaches expiration, the kubelet volume\nplugin will proactively rotate the service account token. The kubelet will\nstart trying to rotate the token if the token is older than 80 percent of\nits time to live or if the token is older than 24 hours.Defaults to 1 hour\nand must be at least 10 minutes.","type":"integer","format":"int64"},"path":{"description":"path is the path relative to the mount point of the file to project the\ntoken into.","type":"string"}}}}},"x-kubernetes-list-type":"atomic"}}},"quobyte":{"description":"quobyte represents a Quobyte mount on the host that shares a pod's lifetime.\nDeprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.","type":"object","required":["registry","volume"],"properties":{"group":{"description":"group to map volume access to\nDefault is no group","type":"string"},"readOnly":{"description":"readOnly here will force the Quobyte volume to be mounted with read-only permissions.\nDefaults to false.","type":"boolean"},"registry":{"description":"registry represents a single or multiple Quobyte Registry services\nspecified as a string as host:port pair (multiple entries are separated with commas)\nwhich acts as the central registry for volumes","type":"string"},"tenant":{"description":"tenant owning the given Quobyte volume in the Backend\nUsed with dynamically provisioned Quobyte volumes, value is set by the plugin","type":"string"},"user":{"description":"user to map volume access to\nDefaults to serivceaccount user","type":"string"},"volume":{"description":"volume is a string that references an already created Quobyte volume by name.","type":"string"}}},"rbd":{"description":"rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.\nDeprecated: RBD is deprecated and the in-tree rbd type is no longer supported.","type":"object","required":["image","monitors"],"properties":{"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#rbd","type":"string"},"image":{"description":"image is the rados image name.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"keyring":{"description":"keyring is the path to key ring for RBDUser.\nDefault is /etc/ceph/keyring.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"monitors":{"description":"monitors is a collection of Ceph monitors.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"pool":{"description":"pool is the rados pool name.\nDefault is rbd.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"boolean"},"secretRef":{"description":"secretRef is name of the authentication secret for RBDUser. If provided\noverrides keyring.\nDefault is nil.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"description":"user is the rados user name.\nDefault is admin.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"}}},"scaleIO":{"description":"scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.\nDeprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.","type":"object","required":["gateway","secretRef","system"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\".\nDefault is \"xfs\".","type":"string"},"gateway":{"description":"gateway is the host address of the ScaleIO API Gateway.","type":"string"},"protectionDomain":{"description":"protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.","type":"string"},"readOnly":{"description":"readOnly Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef references to the secret for ScaleIO user and other\nsensitive information. If this is not provided, Login operation will fail.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"sslEnabled":{"description":"sslEnabled Flag enable/disable SSL communication with Gateway, default false","type":"boolean"},"storageMode":{"description":"storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.\nDefault is ThinProvisioned.","type":"string"},"storagePool":{"description":"storagePool is the ScaleIO Storage Pool associated with the protection domain.","type":"string"},"system":{"description":"system is the name of the storage system as configured in ScaleIO.","type":"string"},"volumeName":{"description":"volumeName is the name of a volume already created in the ScaleIO system\nthat is associated with this volume source.","type":"string"}}},"secret":{"description":"secret represents a secret that should populate this volume.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#secret","type":"object","properties":{"defaultMode":{"description":"defaultMode is Optional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values\nfor mode bits. Defaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"items If unspecified, each key-value pair in the Data field of the referenced\nSecret will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the Secret,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"optional":{"description":"optional field specify whether the Secret or its keys must be defined","type":"boolean"},"secretName":{"description":"secretName is the name of the secret in the pod's namespace to use.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#secret","type":"string"}}},"storageos":{"description":"storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.\nDeprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.","type":"object","properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef specifies the secret to use for obtaining the StorageOS API\ncredentials.  If not specified, default values will be attempted.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeName":{"description":"volumeName is the human-readable name of the StorageOS volume.  Volume\nnames are only unique within a namespace.","type":"string"},"volumeNamespace":{"description":"volumeNamespace specifies the scope of the volume within StorageOS.  If no\nnamespace is specified then the Pod's namespace will be used.  This allows the\nKubernetes name scoping to be mirrored within StorageOS for tighter integration.\nSet VolumeName to any name to override the default behaviour.\nSet to \"default\" if you are not using namespaces within StorageOS.\nNamespaces that do not pre-exist within StorageOS will be created.","type":"string"}}},"vsphereVolume":{"description":"vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.\nDeprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type\nare redirected to the csi.vsphere.vmware.com CSI driver.","type":"object","required":["volumePath"],"properties":{"fsType":{"description":"fsType is filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"storagePolicyID":{"description":"storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.","type":"string"},"storagePolicyName":{"description":"storagePolicyName is the storage Policy Based Management (SPBM) profile name.","type":"string"},"volumePath":{"description":"volumePath is the path that identifies vSphere volume vmdk","type":"string"}}}}}},"web":{"description":"web defines the configuration of the ThanosRuler web server.","type":"object","properties":{"httpConfig":{"description":"httpConfig defines HTTP parameters for web server.","type":"object","properties":{"headers":{"description":"headers defines a list of headers that can be added to HTTP responses.","type":"object","properties":{"contentSecurityPolicy":{"description":"contentSecurityPolicy defines the Content-Security-Policy header to HTTP responses.\nUnset if blank.","type":"string"},"strictTransportSecurity":{"description":"strictTransportSecurity defines the Strict-Transport-Security header to HTTP responses.\nUnset if blank.\nPlease make sure that you use this with care as this header might force\nbrowsers to load Prometheus and the other applications hosted on the same\ndomain and subdomains over HTTPS.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security","type":"string"},"xContentTypeOptions":{"description":"xContentTypeOptions defines the X-Content-Type-Options header to HTTP responses.\nUnset if blank. Accepted value is nosniff.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options","type":"string","enum":["","NoSniff"]},"xFrameOptions":{"description":"xFrameOptions defines the X-Frame-Options header to HTTP responses.\nUnset if blank. Accepted values are deny and sameorigin.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options","type":"string","enum":["","Deny","SameOrigin"]},"xXSSProtection":{"description":"xXSSProtection defines the X-XSS-Protection header to all responses.\nUnset if blank.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection","type":"string"}}},"http2":{"description":"http2 enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.\nWhen TLSConfig is not configured, HTTP/2 will be disabled.\nWhenever the value of the field changes, a rolling update will be triggered.","type":"boolean"}}},"tlsConfig":{"description":"tlsConfig defines the TLS parameters for HTTPS.","type":"object","properties":{"cert":{"description":"cert defines the Secret or ConfigMap containing the TLS certificate for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `certFile`.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the TLS certificate file in the container for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `cert`.","type":"string"},"cipherSuites":{"description":"cipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.\n\nIf not defined, the Go default cipher suites are used.\nAvailable cipher suites are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#pkg-constants","type":"array","items":{"type":"string"}},"clientAuthType":{"description":"clientAuthType defines the server policy for client TLS authentication.\n\nFor more detail on clientAuth options:\nhttps://golang.org/pkg/crypto/tls/#ClientAuthType","type":"string"},"clientCAFile":{"description":"clientCAFile defines the path to the CA certificate file for client certificate authentication to\nthe server.\n\nIt is mutually exclusive with `client_ca`.","type":"string"},"client_ca":{"description":"client_ca defines the Secret or ConfigMap containing the CA certificate for client certificate\nauthentication to the server.\n\nIt is mutually exclusive with `clientCAFile`.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"curvePreferences":{"description":"curvePreferences defines elliptic curves that will be used in an ECDHE handshake, in preference\norder.\n\nAvailable curves are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#CurveID","type":"array","items":{"type":"string"}},"keyFile":{"description":"keyFile defines the path to the TLS private key file in the container for the web server.\n\nIf defined, either `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keySecret`.","type":"string"},"keySecret":{"description":"keySecret defines the secret containing the TLS private key for the web server.\n\nEither `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keyFile`.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the Maximum TLS version that is acceptable.","type":"string"},"minVersion":{"description":"minVersion defines the minimum TLS version that is acceptable.","type":"string"},"preferServerCipherSuites":{"description":"preferServerCipherSuites defines whether the server selects the client's most preferred cipher\nsuite, or the server's most preferred cipher suite.\n\nIf true then the server's preference, as expressed in\nthe order of elements in cipherSuites, is used.","type":"boolean"}}}}}}},"status":{"description":"status defines the most recent observed status of the ThanosRuler cluster. Read-only.\nMore info:\nhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"availableReplicas":{"description":"availableReplicas defines the total number of available pods (ready for at least minReadySeconds)\ntargeted by this ThanosRuler deployment.","type":"integer","format":"int32"},"conditions":{"description":"conditions defines the current state of the ThanosRuler object.","type":"array","items":{"description":"Condition represents the state of the resources associated with the\nPrometheus, Alertmanager or ThanosRuler resource.","type":"object","required":["lastTransitionTime","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the time of the last update to the current status property.","type":"string","format":"date-time"},"message":{"description":"message defines human-readable message indicating details for the condition's last transition.","type":"string"},"observedGeneration":{"description":"observedGeneration defines the .metadata.generation that the\ncondition was set based upon. For instance, if `.metadata.generation` is\ncurrently 12, but the `.status.conditions[].observedGeneration` is 9, the\ncondition is out of date with respect to the current state of the\ninstance.","type":"integer","format":"int64"},"reason":{"description":"reason for the condition's last transition.","type":"string"},"status":{"description":"status of the condition.","type":"string","minLength":1},"type":{"description":"type of the condition being reported.","type":"string","minLength":1}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"paused":{"description":"paused defines whether any actions on the underlying managed objects are\nbeing performed. Only delete actions will be performed.","type":"boolean"},"replicas":{"description":"replicas defines the total number of non-terminated pods targeted by this ThanosRuler deployment\n(their labels match the selector).","type":"integer","format":"int32"},"unavailableReplicas":{"description":"unavailableReplicas defines the total number of unavailable pods targeted by this ThanosRuler deployment.","type":"integer","format":"int32"},"updatedReplicas":{"description":"updatedReplicas defines the total number of non-terminated pods targeted by this ThanosRuler deployment\nthat have the desired version spec.","type":"integer","format":"int32"}}}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"ThanosRuler","version":"v1"}],"title":"com.coreos.monitoring.v1.ThanosRuler"},"com.coreos.monitoring.v1.ThanosRulerList":{"description":"ThanosRulerList is a list of ThanosRuler","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of thanosrulers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.coreos.monitoring.v1.ThanosRuler"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"ThanosRulerList","version":"v1"}],"title":"com.coreos.monitoring.v1.ThanosRulerList"},"com.coreos.monitoring.v1alpha1.AlertmanagerConfig":{"description":"AlertmanagerConfig configures the Prometheus Alertmanager,\nspecifying how alerts should be grouped, inhibited and notified to external systems.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the specification of AlertmanagerConfigSpec","type":"object","properties":{"inhibitRules":{"description":"inhibitRules defines the list of inhibition rules. The rules will only apply to alerts matching\nthe resource's namespace.","type":"array","items":{"description":"InhibitRule defines an inhibition rule that allows to mute alerts when other\nalerts are already firing.\nSee https://prometheus.io/docs/alerting/latest/configuration/#inhibit_rule","type":"object","properties":{"equal":{"description":"equal defines labels that must have an equal value in the source and target alert\nfor the inhibition to take effect. This ensures related alerts are properly grouped.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"sourceMatch":{"description":"sourceMatch defines matchers for which one or more alerts have to exist for the inhibition\nto take effect. The operator enforces that the alert matches the resource's namespace.\nThese are the \"trigger\" alerts that cause other alerts to be inhibited.","type":"array","items":{"description":"Matcher defines how to match on alert's labels.","type":"object","required":["name"],"properties":{"matchType":{"description":"matchType defines the match operation available with AlertManager >= v0.22.0.\nTakes precedence over Regex (deprecated) if non-empty.\nValid values: \"=\" (equality), \"!=\" (inequality), \"=~\" (regex match), \"!~\" (regex non-match).","type":"string","enum":["!=","=","=~","!~"]},"name":{"description":"name defines the label to match.\nThis specifies which alert label should be evaluated.","type":"string","minLength":1},"regex":{"description":"regex defines whether to match on equality (false) or regular-expression (true).\nDeprecated: for AlertManager >= v0.22.0, `matchType` should be used instead.","type":"boolean"},"value":{"description":"value defines the label value to match.\nThis is the expected value for the specified label.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"targetMatch":{"description":"targetMatch defines matchers that have to be fulfilled in the alerts to be muted.\nThe operator enforces that the alert matches the resource's namespace.\nWhen these conditions are met, matching alerts will be inhibited (silenced).","type":"array","items":{"description":"Matcher defines how to match on alert's labels.","type":"object","required":["name"],"properties":{"matchType":{"description":"matchType defines the match operation available with AlertManager >= v0.22.0.\nTakes precedence over Regex (deprecated) if non-empty.\nValid values: \"=\" (equality), \"!=\" (inequality), \"=~\" (regex match), \"!~\" (regex non-match).","type":"string","enum":["!=","=","=~","!~"]},"name":{"description":"name defines the label to match.\nThis specifies which alert label should be evaluated.","type":"string","minLength":1},"regex":{"description":"regex defines whether to match on equality (false) or regular-expression (true).\nDeprecated: for AlertManager >= v0.22.0, `matchType` should be used instead.","type":"boolean"},"value":{"description":"value defines the label value to match.\nThis is the expected value for the specified label.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"muteTimeIntervals":{"description":"muteTimeIntervals defines the list of MuteTimeInterval specifying when the routes should be muted.","type":"array","items":{"description":"MuteTimeInterval specifies the periods in time when notifications will be muted","type":"object","required":["name"],"properties":{"name":{"description":"name of the time interval","type":"string"},"timeIntervals":{"description":"timeIntervals defines a list of TimeInterval","type":"array","items":{"description":"TimeInterval describes intervals of time","type":"object","properties":{"daysOfMonth":{"description":"daysOfMonth defines a list of DayOfMonthRange","type":"array","items":{"description":"DayOfMonthRange is an inclusive range of days of the month beginning at 1","type":"object","properties":{"end":{"description":"end of the inclusive range","type":"integer","maximum":31,"minimum":-31},"start":{"description":"start of the inclusive range","type":"integer","maximum":31,"minimum":-31}}},"x-kubernetes-list-type":"atomic"},"months":{"description":"months defines a list of MonthRange","type":"array","items":{"description":"MonthRange is an inclusive range of months of the year beginning in January\nMonths can be specified by name (e.g 'January') by numerical month (e.g '1') or as an inclusive range (e.g 'January:March', '1:3', '1:March')","type":"string","pattern":"^((?i)january|february|march|april|may|june|july|august|september|october|november|december|1[0-2]|[1-9])(?:((:((?i)january|february|march|april|may|june|july|august|september|october|november|december|1[0-2]|[1-9]))$)|$)"},"x-kubernetes-list-type":"atomic"},"times":{"description":"times defines a list of TimeRange","type":"array","items":{"description":"TimeRange defines a start and end time in 24hr format","type":"object","properties":{"endTime":{"description":"endTime defines the end time in 24hr format.","type":"string","pattern":"^((([01][0-9])|(2[0-3])):[0-5][0-9])$|(^24:00$)"},"startTime":{"description":"startTime defines the start time in 24hr format.","type":"string","pattern":"^((([01][0-9])|(2[0-3])):[0-5][0-9])$|(^24:00$)"}}},"x-kubernetes-list-type":"atomic"},"weekdays":{"description":"weekdays defines a list of WeekdayRange","type":"array","items":{"description":"WeekdayRange is an inclusive range of days of the week beginning on Sunday\nDays can be specified by name (e.g 'Sunday') or as an inclusive range (e.g 'Monday:Friday')","type":"string","pattern":"^((?i)sun|mon|tues|wednes|thurs|fri|satur)day(?:((:(sun|mon|tues|wednes|thurs|fri|satur)day)$)|$)"},"x-kubernetes-list-type":"atomic"},"years":{"description":"years defines a list of YearRange","type":"array","items":{"description":"YearRange is an inclusive range of years","type":"string","pattern":"^2\\d{3}(?::2\\d{3}|$)"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"receivers":{"description":"receivers defines the list of receivers.","type":"array","items":{"description":"Receiver defines one or more notification integrations.","type":"object","required":["name"],"properties":{"discordConfigs":{"description":"discordConfigs defines the list of Slack configurations.","type":"array","items":{"description":"DiscordConfig configures notifications via Discord.\nSee https://prometheus.io/docs/alerting/latest/configuration/#discord_config","type":"object","required":["apiURL"],"properties":{"apiURL":{"description":"apiURL defines the secret's key that contains the Discord webhook URL.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"avatarURL":{"description":"avatarURL defines the avatar url of the message sender.","type":"string","pattern":"^https?://.+$"},"content":{"description":"content defines the template of the content's body.","type":"string","minLength":1},"httpConfig":{"description":"httpConfig defines the HTTP client configuration.","type":"object","properties":{"authorization":{"description":"authorization defines the authorization header configuration for the client.\nThis is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the basic authentication credentials for the client.\nThis is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client\nfor authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects specifies whether the client should follow HTTP 3xx redirects.\nWhen true, the client will automatically follow redirect responses.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 client credentials used to fetch a token for the targets.\nThis enables OAuth2 authentication flow for HTTP requests.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyURL":{"description":"proxyURL defines an optional proxy URL for HTTP requests.\nIf defined, this field takes precedence over `proxyUrl`.","type":"string"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for the client.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"message":{"description":"message defines the template of the message's body.","type":"string"},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"},"title":{"description":"title defines the template of the message's title.","type":"string"},"username":{"description":"username defines the username of the message sender.","type":"string","minLength":1}}},"x-kubernetes-list-type":"atomic"},"emailConfigs":{"description":"emailConfigs defines the list of Email configurations.","type":"array","items":{"description":"EmailConfig configures notifications via Email.","type":"object","properties":{"authIdentity":{"description":"authIdentity defines the identity to use for SMTP authentication.\nThis is typically used with PLAIN authentication mechanism.","type":"string"},"authPassword":{"description":"authPassword defines the secret's key that contains the password to use for authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"authSecret":{"description":"authSecret defines the secret's key that contains the CRAM-MD5 secret.\nThis is used for CRAM-MD5 authentication mechanism.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"authUsername":{"description":"authUsername defines the username to use for SMTP authentication.\nThis is used for SMTP AUTH when the server requires authentication.","type":"string"},"from":{"description":"from defines the sender address for email notifications.\nThis appears as the \"From\" field in the email header.","type":"string"},"headers":{"description":"headers defines additional email header key/value pairs.\nThese override any headers previously set by the notification implementation.","type":"array","items":{"description":"KeyValue defines a (key, value) tuple.","type":"object","required":["key","value"],"properties":{"key":{"description":"key defines the key of the tuple.\nThis is the identifier or name part of the key-value pair.","type":"string","minLength":1},"value":{"description":"value defines the value of the tuple.\nThis is the data or content associated with the key.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"hello":{"description":"hello defines the hostname to identify to the SMTP server.\nThis is used in the SMTP HELO/EHLO command during the connection handshake.","type":"string"},"html":{"description":"html defines the HTML body of the email notification.\nThis allows for rich formatting in the email content.","type":"string"},"requireTLS":{"description":"requireTLS defines the SMTP TLS requirement.\nNote that Go does not support unencrypted connections to remote SMTP endpoints.","type":"boolean"},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"},"smarthost":{"description":"smarthost defines the SMTP host and port through which emails are sent.\nFormat should be \"hostname:port\", e.g. \"smtp.example.com:587\".","type":"string"},"text":{"description":"text defines the plain text body of the email notification.\nThis provides a fallback for email clients that don't support HTML.","type":"string"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for SMTP connections.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"to":{"description":"to defines the email address to send notifications to.\nThis is the recipient address for alert notifications.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"msteamsConfigs":{"description":"msteamsConfigs defines the list of MSTeams configurations.\nIt requires Alertmanager >= 0.26.0.","type":"array","items":{"description":"MSTeamsConfig configures notifications via Microsoft Teams.\nIt requires Alertmanager >= 0.26.0.","type":"object","required":["webhookUrl"],"properties":{"httpConfig":{"description":"httpConfig defines the HTTP client configuration for Teams webhook requests.","type":"object","properties":{"authorization":{"description":"authorization defines the authorization header configuration for the client.\nThis is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the basic authentication credentials for the client.\nThis is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client\nfor authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects specifies whether the client should follow HTTP 3xx redirects.\nWhen true, the client will automatically follow redirect responses.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 client credentials used to fetch a token for the targets.\nThis enables OAuth2 authentication flow for HTTP requests.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyURL":{"description":"proxyURL defines an optional proxy URL for HTTP requests.\nIf defined, this field takes precedence over `proxyUrl`.","type":"string"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for the client.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"},"summary":{"description":"summary defines the message summary template for Teams notifications.\nThis provides a brief overview that appears in Teams notification previews.\nIt requires Alertmanager >= 0.27.0.","type":"string"},"text":{"description":"text defines the message body template for Teams notifications.\nThis contains the detailed content of the Teams message.","type":"string"},"title":{"description":"title defines the message title template for Teams notifications.\nThis appears as the main heading of the Teams message card.","type":"string"},"webhookUrl":{"description":"webhookUrl defines the MSTeams webhook URL for sending notifications.\nThis is the incoming webhook URL configured in your Teams channel.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"msteamsv2Configs":{"description":"msteamsv2Configs defines the list of MSTeamsV2 configurations.\nIt requires Alertmanager >= 0.28.0.","type":"array","items":{"description":"MSTeamsV2Config configures notifications via Microsoft Teams using the new message format with adaptive cards as required by flows.\nSee https://prometheus.io/docs/alerting/latest/configuration/#msteamsv2_config\nIt requires Alertmanager >= 0.28.0.","type":"object","properties":{"httpConfig":{"description":"httpConfig defines the HTTP client configuration for Teams webhook requests.","type":"object","properties":{"authorization":{"description":"authorization defines the authorization header configuration for the client.\nThis is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the basic authentication credentials for the client.\nThis is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client\nfor authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects specifies whether the client should follow HTTP 3xx redirects.\nWhen true, the client will automatically follow redirect responses.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 client credentials used to fetch a token for the targets.\nThis enables OAuth2 authentication flow for HTTP requests.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyURL":{"description":"proxyURL defines an optional proxy URL for HTTP requests.\nIf defined, this field takes precedence over `proxyUrl`.","type":"string"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for the client.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"},"text":{"description":"text defines the message body template for adaptive card notifications.\nThis contains the detailed content displayed in the Teams adaptive card format.","type":"string","minLength":1},"title":{"description":"title defines the message title template for adaptive card notifications.\nThis appears as the main heading in the Teams adaptive card.","type":"string","minLength":1},"webhookURL":{"description":"webhookURL defines the MSTeams incoming webhook URL for adaptive card notifications.\nThis webhook must support the newer adaptive cards format required by Teams flows.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"name":{"description":"name defines the name of the receiver. Must be unique across all items from the list.","type":"string","minLength":1},"opsgenieConfigs":{"description":"opsgenieConfigs defines the list of OpsGenie configurations.","type":"array","items":{"description":"OpsGenieConfig configures notifications via OpsGenie.\nSee https://prometheus.io/docs/alerting/latest/configuration/#opsgenie_config","type":"object","properties":{"actions":{"description":"actions defines a comma separated list of actions that will be available for the alert.\nThese appear as action buttons in the OpsGenie interface.","type":"string"},"apiKey":{"description":"apiKey defines the secret's key that contains the OpsGenie API key.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"apiURL":{"description":"apiURL defines the URL to send OpsGenie API requests to.\nWhen not specified, defaults to the standard OpsGenie API endpoint.","type":"string","pattern":"^https?://.+$"},"description":{"description":"description defines the detailed description of the incident.\nThis provides additional context beyond the message field.","type":"string"},"details":{"description":"details defines a set of arbitrary key/value pairs that provide further detail about the incident.\nThese appear as additional fields in the OpsGenie alert.","type":"array","items":{"description":"KeyValue defines a (key, value) tuple.","type":"object","required":["key","value"],"properties":{"key":{"description":"key defines the key of the tuple.\nThis is the identifier or name part of the key-value pair.","type":"string","minLength":1},"value":{"description":"value defines the value of the tuple.\nThis is the data or content associated with the key.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"entity":{"description":"entity defines an optional field that can be used to specify which domain alert is related to.\nThis helps group related alerts together in OpsGenie.","type":"string"},"httpConfig":{"description":"httpConfig defines the HTTP client configuration for OpsGenie API requests.","type":"object","properties":{"authorization":{"description":"authorization defines the authorization header configuration for the client.\nThis is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the basic authentication credentials for the client.\nThis is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client\nfor authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects specifies whether the client should follow HTTP 3xx redirects.\nWhen true, the client will automatically follow redirect responses.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 client credentials used to fetch a token for the targets.\nThis enables OAuth2 authentication flow for HTTP requests.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyURL":{"description":"proxyURL defines an optional proxy URL for HTTP requests.\nIf defined, this field takes precedence over `proxyUrl`.","type":"string"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for the client.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"message":{"description":"message defines the alert text limited to 130 characters.\nThis appears as the main alert title in OpsGenie.","type":"string"},"note":{"description":"note defines an additional alert note.\nThis provides supplementary information about the alert.","type":"string"},"priority":{"description":"priority defines the priority level of alert.\nPossible values are P1, P2, P3, P4, and P5, where P1 is highest priority.","type":"string"},"responders":{"description":"responders defines the list of responders responsible for notifications.\nThese determine who gets notified when the alert is created.","type":"array","items":{"description":"OpsGenieConfigResponder defines a responder to an incident.\nOne of `id`, `name` or `username` has to be defined.","type":"object","required":["type"],"properties":{"id":{"description":"id defines the unique identifier of the responder.\nThis corresponds to the responder's ID within OpsGenie.","type":"string"},"name":{"description":"name defines the display name of the responder.\nThis is used when the responder is identified by name rather than ID.","type":"string"},"type":{"description":"type defines the type of responder.\nValid values include \"user\", \"team\", \"schedule\", and \"escalation\".\nThis determines how OpsGenie interprets the other identifier fields.","type":"string","minLength":1,"enum":["team","teams","user","escalation","schedule"]},"username":{"description":"username defines the username of the responder.\nThis is typically used for user-type responders when identifying by username.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"},"source":{"description":"source defines the backlink to the sender of the notification.\nThis helps identify where the alert originated from.","type":"string"},"tags":{"description":"tags defines a comma separated list of tags attached to the notifications.\nThese help categorize and filter alerts within OpsGenie.","type":"string"},"updateAlerts":{"description":"updateAlerts defines Whether to update message and description of the alert in OpsGenie if it already exists\nBy default, the alert is never updated in OpsGenie, the new message only appears in activity log.","type":"boolean"}}},"x-kubernetes-list-type":"atomic"},"pagerdutyConfigs":{"description":"pagerdutyConfigs defines the List of PagerDuty configurations.","type":"array","items":{"description":"PagerDutyConfig configures notifications via PagerDuty.\nSee https://prometheus.io/docs/alerting/latest/configuration/#pagerduty_config","type":"object","properties":{"class":{"description":"class defines the class/type of the event.","type":"string","minLength":1},"client":{"description":"client defines the client identification.","type":"string","minLength":1},"clientURL":{"description":"clientURL defines the backlink to the sender of notification.","type":"string"},"component":{"description":"component defines the part or component of the affected system that is broken.","type":"string","minLength":1},"description":{"description":"description of the incident.","type":"string","minLength":1},"details":{"description":"details defines the arbitrary key/value pairs that provide further detail about the incident.","type":"array","items":{"description":"KeyValue defines a (key, value) tuple.","type":"object","required":["key","value"],"properties":{"key":{"description":"key defines the key of the tuple.\nThis is the identifier or name part of the key-value pair.","type":"string","minLength":1},"value":{"description":"value defines the value of the tuple.\nThis is the data or content associated with the key.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"group":{"description":"group defines a cluster or grouping of sources.","type":"string","minLength":1},"httpConfig":{"description":"httpConfig defines the HTTP client configuration.","type":"object","properties":{"authorization":{"description":"authorization defines the authorization header configuration for the client.\nThis is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the basic authentication credentials for the client.\nThis is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client\nfor authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects specifies whether the client should follow HTTP 3xx redirects.\nWhen true, the client will automatically follow redirect responses.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 client credentials used to fetch a token for the targets.\nThis enables OAuth2 authentication flow for HTTP requests.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyURL":{"description":"proxyURL defines an optional proxy URL for HTTP requests.\nIf defined, this field takes precedence over `proxyUrl`.","type":"string"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for the client.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"pagerDutyImageConfigs":{"description":"pagerDutyImageConfigs defines a list of image details to attach that provide further detail about an incident.","type":"array","items":{"description":"PagerDutyImageConfig attaches images to an incident","type":"object","properties":{"alt":{"description":"alt is the optional alternative text for the image.","type":"string","minLength":1},"href":{"description":"href defines the optional URL; makes the image a clickable link.","type":"string"},"src":{"description":"src of the image being attached to the incident","type":"string","minLength":1}}},"x-kubernetes-list-type":"atomic"},"pagerDutyLinkConfigs":{"description":"pagerDutyLinkConfigs defines a list of link details to attach that provide further detail about an incident.","type":"array","items":{"description":"PagerDutyLinkConfig attaches text links to an incident","type":"object","properties":{"alt":{"description":"alt defines the text that describes the purpose of the link, and can be used as the link's text.","type":"string","minLength":1},"href":{"description":"href defines the URL of the link to be attached","type":"string"}}},"x-kubernetes-list-type":"atomic"},"routingKey":{"description":"routingKey defines the secret's key that contains the PagerDuty integration key (when using\nEvents API v2). Either this field or `serviceKey` needs to be defined.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"},"serviceKey":{"description":"serviceKey defines the secret's key that contains the PagerDuty service key (when using\nintegration type \"Prometheus\"). Either this field or `routingKey` needs to\nbe defined.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"severity":{"description":"severity of the incident.","type":"string","minLength":1},"source":{"description":"source defines the unique location of the affected system.","type":"string","minLength":1},"timeout":{"description":"timeout is the maximum time allowed to invoke the pagerduty\nIt requires Alertmanager >= v0.30.0.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"url":{"description":"url defines the URL to send requests to.","type":"string","pattern":"^https?://.+$"}}},"x-kubernetes-list-type":"atomic"},"pushoverConfigs":{"description":"pushoverConfigs defines the list of Pushover configurations.","type":"array","items":{"description":"PushoverConfig configures notifications via Pushover.\nSee https://prometheus.io/docs/alerting/latest/configuration/#pushover_config","type":"object","properties":{"device":{"description":"device defines the name of a specific device to send the notification to.\nIf not specified, the notification is sent to all user's devices.","type":"string","minLength":1},"expire":{"description":"expire defines how long your notification will continue to be retried for,\nunless the user acknowledges the notification. Only applies to priority 2 notifications.","type":"string","pattern":"^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$"},"html":{"description":"html defines whether notification message is HTML or plain text.\nWhen true, the message can include HTML formatting tags.\nhtml and monospace formatting are mutually exclusive.","type":"boolean"},"httpConfig":{"description":"httpConfig defines the HTTP client configuration for Pushover API requests.","type":"object","properties":{"authorization":{"description":"authorization defines the authorization header configuration for the client.\nThis is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the basic authentication credentials for the client.\nThis is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client\nfor authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects specifies whether the client should follow HTTP 3xx redirects.\nWhen true, the client will automatically follow redirect responses.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 client credentials used to fetch a token for the targets.\nThis enables OAuth2 authentication flow for HTTP requests.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyURL":{"description":"proxyURL defines an optional proxy URL for HTTP requests.\nIf defined, this field takes precedence over `proxyUrl`.","type":"string"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for the client.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"message":{"description":"message defines the notification message content.\nThis is the main body text of the Pushover notification.","type":"string","minLength":1},"monospace":{"description":"monospace optional HTML/monospace formatting for the message, see https://pushover.net/api#html\nhtml and monospace formatting are mutually exclusive.","type":"boolean"},"priority":{"description":"priority defines the notification priority level.\nSee https://pushover.net/api#priority for valid values and behavior.","type":"string","minLength":1},"retry":{"description":"retry defines how often the Pushover servers will send the same notification to the user.\nMust be at least 30 seconds. Only applies to priority 2 notifications.","type":"string","pattern":"^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$"},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"},"sound":{"description":"sound defines the name of one of the sounds supported by device clients.\nThis overrides the user's default sound choice for this notification.","type":"string","minLength":1},"title":{"description":"title defines the notification title displayed in the Pushover message.\nThis appears as the bold header text in the notification.","type":"string","minLength":1},"token":{"description":"token defines the secret's key that contains the registered application's API token.\nSee https://pushover.net/apps for application registration.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.\nEither `token` or `tokenFile` is required.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"tokenFile":{"description":"tokenFile defines the token file that contains the registered application's API token.\nSee https://pushover.net/apps for application registration.\nEither `token` or `tokenFile` is required.\nIt requires Alertmanager >= v0.26.0.","type":"string","minLength":1},"ttl":{"description":"ttl defines the time to live for the alert notification.\nThis determines how long the notification remains active before expiring.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"url":{"description":"url defines a supplementary URL shown alongside the message.\nThis creates a clickable link within the Pushover notification.","type":"string"},"urlTitle":{"description":"urlTitle defines a title for the supplementary URL.\nIf not specified, the raw URL is shown instead.","type":"string","minLength":1},"userKey":{"description":"userKey defines the secret's key that contains the recipient user's user key.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.\nEither `userKey` or `userKeyFile` is required.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"userKeyFile":{"description":"userKeyFile defines the user key file that contains the recipient user's user key.\nEither `userKey` or `userKeyFile` is required.\nIt requires Alertmanager >= v0.26.0.","type":"string","minLength":1}}},"x-kubernetes-list-type":"atomic"},"rocketchatConfigs":{"description":"rocketchatConfigs defines the list of RocketChat configurations.\nIt requires Alertmanager >= 0.28.0.","type":"array","items":{"description":"RocketChatConfig configures notifications via RocketChat.\nIt requires Alertmanager >= 0.28.0.","type":"object","required":["token","tokenID"],"properties":{"actions":{"description":"actions defines interactive actions to include in the message.\nThese appear as buttons that users can click to trigger responses.","type":"array","minItems":1,"items":{"description":"RocketChatActionConfig defines actions for RocketChat messages.","type":"object","properties":{"msg":{"description":"msg defines the message to send when the button is clicked.\nThis allows the button to post a predefined message to the channel.","type":"string","minLength":1},"text":{"description":"text defines the button text displayed to users.\nThis is the label that appears on the interactive button.","type":"string","minLength":1},"url":{"description":"url defines the URL the button links to when clicked.\nThis creates a clickable button that opens the specified URL.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"apiURL":{"description":"apiURL defines the API URL for RocketChat.\nDefaults to https://open.rocket.chat/ if not specified.","type":"string","pattern":"^https?://.+$"},"channel":{"description":"channel defines the channel to send alerts to.\nThis can be a channel name (e.g., \"#alerts\") or a direct message recipient.","type":"string","minLength":1},"color":{"description":"color defines the message color displayed in RocketChat.\nThis appears as a colored bar alongside the message.","type":"string","minLength":1},"emoji":{"description":"emoji defines the emoji to be displayed as an avatar.\nIf provided, this emoji will be used instead of the default avatar or iconURL.","type":"string","minLength":1},"fields":{"description":"fields defines additional fields for the message attachment.\nThese appear as structured key-value pairs within the message.","type":"array","minItems":1,"items":{"description":"RocketChatFieldConfig defines additional fields for RocketChat messages.","type":"object","properties":{"short":{"description":"short defines whether this field should be a short field.\nWhen true, the field may be displayed inline with other short fields to save space.","type":"boolean"},"title":{"description":"title defines the title of this field.\nThis appears as bold text labeling the field content.","type":"string","minLength":1},"value":{"description":"value defines the value of this field, displayed underneath the title.\nThis contains the actual data or content for the field.","type":"string","minLength":1}}},"x-kubernetes-list-type":"atomic"},"httpConfig":{"description":"httpConfig defines the HTTP client configuration for RocketChat API requests.","type":"object","properties":{"authorization":{"description":"authorization defines the authorization header configuration for the client.\nThis is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the basic authentication credentials for the client.\nThis is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client\nfor authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects specifies whether the client should follow HTTP 3xx redirects.\nWhen true, the client will automatically follow redirect responses.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 client credentials used to fetch a token for the targets.\nThis enables OAuth2 authentication flow for HTTP requests.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyURL":{"description":"proxyURL defines an optional proxy URL for HTTP requests.\nIf defined, this field takes precedence over `proxyUrl`.","type":"string"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for the client.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"iconURL":{"description":"iconURL defines the icon URL for the message avatar.\nThis displays a custom image as the message sender's avatar.","type":"string"},"imageURL":{"description":"imageURL defines the image URL to display within the message.\nThis embeds an image directly in the message attachment.","type":"string"},"linkNames":{"description":"linkNames defines whether to enable automatic linking of usernames and channels.\nWhen true, @username and #channel references become clickable links.","type":"boolean"},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"},"shortFields":{"description":"shortFields defines whether to use short fields in the message layout.\nWhen true, fields may be displayed side by side to save space.","type":"boolean"},"text":{"description":"text defines the message text to send.\nThis is optional because attachments can be used instead of or alongside text.","type":"string","minLength":1},"thumbURL":{"description":"thumbURL defines the thumbnail URL for the message.\nThis displays a small thumbnail image alongside the message content.","type":"string"},"title":{"description":"title defines the message title displayed prominently in the message.\nThis appears as bold text at the top of the message attachment.","type":"string","minLength":1},"titleLink":{"description":"titleLink defines the URL that the title will link to when clicked.\nThis makes the message title clickable in the RocketChat interface.","type":"string","minLength":1},"token":{"description":"token defines the sender token for RocketChat authentication.\nThis is the personal access token or bot token used to authenticate API requests.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"tokenID":{"description":"tokenID defines the sender token ID for RocketChat authentication.\nThis is the user ID associated with the token used for API requests.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"slackConfigs":{"description":"slackConfigs defines the list of Slack configurations.","type":"array","items":{"description":"SlackConfig configures notifications via Slack.\nSee https://prometheus.io/docs/alerting/latest/configuration/#slack_config","type":"object","properties":{"actions":{"description":"actions defines a list of Slack actions that are sent with each notification.","type":"array","minItems":1,"items":{"description":"SlackAction configures a single Slack action that is sent with each\nnotification.\nSee https://api.slack.com/docs/message-attachments#action_fields and\nhttps://api.slack.com/docs/message-buttons for more information.","type":"object","required":["text","type"],"properties":{"confirm":{"description":"confirm defines an optional confirmation dialog that appears before the action is executed.\nWhen set, users must confirm their intent before the action proceeds.","type":"object","required":["text"],"properties":{"dismissText":{"description":"dismissText defines the label for the cancel button in the dialog.\nWhen not specified, defaults to \"Cancel\". This button cancels the action.","type":"string","minLength":1},"okText":{"description":"okText defines the label for the confirmation button in the dialog.\nWhen not specified, defaults to \"Okay\". This button proceeds with the action.","type":"string","minLength":1},"text":{"description":"text defines the main message displayed in the confirmation dialog.\nThis should be a clear question or statement asking the user to confirm their action.","type":"string","minLength":1},"title":{"description":"title defines the title text displayed at the top of the confirmation dialog.\nWhen not specified, a default title will be used.","type":"string","minLength":1}}},"name":{"description":"name defines a unique identifier for the action within the message.\nThis value is sent back to your application when the action is triggered.","type":"string","minLength":1},"style":{"description":"style defines the visual appearance of the action element.\nValid values include \"default\", \"primary\" (green), and \"danger\" (red).","type":"string","minLength":1},"text":{"description":"text defines the user-visible label displayed on the action element.\nFor buttons, this is the button text. For select menus, this is the placeholder text.","type":"string","minLength":1},"type":{"description":"type defines the type of interactive component.\nCommon values include \"button\" for clickable buttons and \"select\" for dropdown menus.","type":"string","minLength":1},"url":{"description":"url defines the URL to open when the action is triggered.\nOnly applicable for button-type actions. When set, clicking the button opens this URL.","type":"string"},"value":{"description":"value defines the payload sent when the action is triggered.\nThis data is included in the callback sent to your application.","type":"string","minLength":1}}},"x-kubernetes-list-type":"atomic"},"apiURL":{"description":"apiURL defines the secret's key that contains the Slack webhook URL.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"callbackId":{"description":"callbackId defines an identifier for the message used in interactive components.","type":"string","minLength":1},"channel":{"description":"channel defines the channel or user to send notifications to.","type":"string","minLength":1},"color":{"description":"color defines the color of the left border of the Slack message attachment.\nCan be a hex color code (e.g., \"#ff0000\") or a predefined color name.","type":"string","minLength":1},"fallback":{"description":"fallback defines a plain-text summary of the attachment for clients that don't support attachments.","type":"string","minLength":1},"fields":{"description":"fields defines a list of Slack fields that are sent with each notification.","type":"array","minItems":1,"items":{"description":"SlackField configures a single Slack field that is sent with each notification.\nEach field must contain a title, value, and optionally, a boolean value to indicate if the field\nis short enough to be displayed next to other fields designated as short.\nSee https://api.slack.com/docs/message-attachments#fields for more information.","type":"object","required":["title","value"],"properties":{"short":{"description":"short determines whether this field can be displayed alongside other short fields.\nWhen true, Slack may display this field side by side with other short fields.\nWhen false or not specified, the field takes the full width of the message.","type":"boolean"},"title":{"description":"title defines the label or header text displayed for this field.\nThis appears as bold text above the field value in the Slack message.","type":"string","minLength":1},"value":{"description":"value defines the content or data displayed for this field.\nThis appears below the title and can contain plain text or Slack markdown.","type":"string","minLength":1}}},"x-kubernetes-list-type":"atomic"},"footer":{"description":"footer defines small text displayed at the bottom of the message attachment.","type":"string","minLength":1},"httpConfig":{"description":"httpConfig defines the HTTP client configuration.","type":"object","properties":{"authorization":{"description":"authorization defines the authorization header configuration for the client.\nThis is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the basic authentication credentials for the client.\nThis is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client\nfor authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects specifies whether the client should follow HTTP 3xx redirects.\nWhen true, the client will automatically follow redirect responses.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 client credentials used to fetch a token for the targets.\nThis enables OAuth2 authentication flow for HTTP requests.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyURL":{"description":"proxyURL defines an optional proxy URL for HTTP requests.\nIf defined, this field takes precedence over `proxyUrl`.","type":"string"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for the client.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"iconEmoji":{"description":"iconEmoji defines the emoji to use as the bot's avatar (e.g., \":ghost:\").","type":"string","minLength":1},"iconURL":{"description":"iconURL defines the URL to an image to use as the bot's avatar.","type":"string"},"imageURL":{"description":"imageURL defines the URL to an image file that will be displayed inside the message attachment.","type":"string"},"linkNames":{"description":"linkNames enables automatic linking of channel names and usernames in the message.\nWhen true, @channel and @username will be converted to clickable links.","type":"boolean"},"mrkdwnIn":{"description":"mrkdwnIn defines which fields should be parsed as Slack markdown.\nValid values include \"pretext\", \"text\", and \"fields\".","type":"array","minItems":1,"items":{"type":"string","minLength":1},"x-kubernetes-list-type":"atomic"},"pretext":{"description":"pretext defines optional text that appears above the message attachment block.","type":"string","minLength":1},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"},"shortFields":{"description":"shortFields determines whether fields are displayed in a compact format.\nWhen true, fields are shown side by side when possible.","type":"boolean"},"text":{"description":"text defines the main text content of the Slack message attachment.","type":"string","minLength":1},"thumbURL":{"description":"thumbURL defines the URL to an image file that will be displayed as a thumbnail\non the right side of the message attachment.","type":"string"},"timeout":{"description":"timeout defines the maximum time to wait for a webhook request to complete,\nbefore failing the request and allowing it to be retried.\nIt requires Alertmanager >= v0.30.0.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"title":{"description":"title defines the title text displayed in the Slack message attachment.","type":"string","minLength":1},"titleLink":{"description":"titleLink defines the URL that the title will link to when clicked.","type":"string"},"username":{"description":"username defines the slack bot user name.","type":"string","minLength":1}}},"x-kubernetes-list-type":"atomic"},"snsConfigs":{"description":"snsConfigs defines the list of SNS configurations","type":"array","items":{"description":"SNSConfig configures notifications via AWS SNS.\nSee https://prometheus.io/docs/alerting/latest/configuration/#sns_configs","type":"object","properties":{"apiURL":{"description":"apiURL defines the SNS API URL, e.g. https://sns.us-east-2.amazonaws.com.\nIf not specified, the SNS API URL from the SNS SDK will be used.","type":"string"},"attributes":{"description":"attributes defines SNS message attributes as key-value pairs.\nThese provide additional metadata that can be used for message filtering and routing.","type":"object","additionalProperties":{"type":"string"}},"httpConfig":{"description":"httpConfig defines the HTTP client configuration for SNS API requests.","type":"object","properties":{"authorization":{"description":"authorization defines the authorization header configuration for the client.\nThis is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the basic authentication credentials for the client.\nThis is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client\nfor authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects specifies whether the client should follow HTTP 3xx redirects.\nWhen true, the client will automatically follow redirect responses.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 client credentials used to fetch a token for the targets.\nThis enables OAuth2 authentication flow for HTTP requests.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyURL":{"description":"proxyURL defines an optional proxy URL for HTTP requests.\nIf defined, this field takes precedence over `proxyUrl`.","type":"string"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for the client.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"message":{"description":"message defines the message content of the SNS notification.\nThis is the actual notification text that will be sent to subscribers.","type":"string"},"phoneNumber":{"description":"phoneNumber defines the phone number if message is delivered via SMS in E.164 format.\nIf you don't specify this value, you must specify a value for the TopicARN or TargetARN.","type":"string"},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"},"sigv4":{"description":"sigv4 configures AWS's Signature Verification 4 signing process to sign requests.\nThis includes AWS credentials and region configuration for authentication.","type":"object","properties":{"accessKey":{"description":"accessKey defines the AWS API key. If not specified, the environment variable\n`AWS_ACCESS_KEY_ID` is used.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"profile":{"description":"profile defines the named AWS profile used to authenticate.","type":"string"},"region":{"description":"region defines the AWS region. If blank, the region from the default credentials chain used.","type":"string"},"roleArn":{"description":"roleArn defines the named AWS profile used to authenticate.","type":"string"},"secretKey":{"description":"secretKey defines the AWS API secret. If not specified, the environment\nvariable `AWS_SECRET_ACCESS_KEY` is used.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"useFIPSSTSEndpoint":{"description":"useFIPSSTSEndpoint defines the FIPS mode for the AWS STS endpoint.\nIt requires Prometheus >= v2.54.0.","type":"boolean"}}},"subject":{"description":"subject defines the subject line when the message is delivered to email endpoints.\nThis field is only used when sending to email subscribers of an SNS topic.","type":"string"},"targetARN":{"description":"targetARN defines the mobile platform endpoint ARN if message is delivered via mobile notifications.\nIf you don't specify this value, you must specify a value for the TopicARN or PhoneNumber.","type":"string"},"topicARN":{"description":"topicARN defines the SNS topic ARN, e.g. arn:aws:sns:us-east-2:698519295917:My-Topic.\nIf you don't specify this value, you must specify a value for the PhoneNumber or TargetARN.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"telegramConfigs":{"description":"telegramConfigs defines the list of Telegram configurations.","type":"array","items":{"description":"TelegramConfig configures notifications via Telegram.\nSee https://prometheus.io/docs/alerting/latest/configuration/#telegram_config","type":"object","required":["chatID"],"properties":{"apiURL":{"description":"apiURL defines the Telegram API URL, e.g. https://api.telegram.org.\nIf not specified, the default Telegram API URL will be used.","type":"string","pattern":"^https?://.+$"},"botToken":{"description":"botToken defines the Telegram bot token. It is mutually exclusive with `botTokenFile`.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.\nEither `botToken` or `botTokenFile` is required.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"botTokenFile":{"description":"botTokenFile defines the file to read the Telegram bot token from.\nIt is mutually exclusive with `botToken`.\nEither `botToken` or `botTokenFile` is required.\nIt requires Alertmanager >= v0.26.0.","type":"string"},"chatID":{"description":"chatID defines the Telegram chat ID where messages will be sent.\nThis can be a user ID, group ID, or channel ID (with @ prefix for public channels).","type":"integer","format":"int64"},"disableNotifications":{"description":"disableNotifications controls whether Telegram notifications are sent silently.\nWhen true, users will receive the message without notification sounds.","type":"boolean"},"httpConfig":{"description":"httpConfig defines the HTTP client configuration for Telegram API requests.","type":"object","properties":{"authorization":{"description":"authorization defines the authorization header configuration for the client.\nThis is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the basic authentication credentials for the client.\nThis is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client\nfor authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects specifies whether the client should follow HTTP 3xx redirects.\nWhen true, the client will automatically follow redirect responses.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 client credentials used to fetch a token for the targets.\nThis enables OAuth2 authentication flow for HTTP requests.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyURL":{"description":"proxyURL defines an optional proxy URL for HTTP requests.\nIf defined, this field takes precedence over `proxyUrl`.","type":"string"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for the client.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"message":{"description":"message defines the message template for the Telegram notification.\nThis is the content that will be sent to the specified chat.","type":"string"},"messageThreadID":{"description":"messageThreadID defines the Telegram Group Topic ID for threaded messages.\nThis allows sending messages to specific topics within Telegram groups.\nIt requires Alertmanager >= 0.26.0.","type":"integer","format":"int64"},"parseMode":{"description":"parseMode defines the parse mode for telegram message formatting.\nValid values are \"MarkdownV2\", \"Markdown\", and \"HTML\".\nThis determines how text formatting is interpreted in the message.","type":"string","enum":["MarkdownV2","Markdown","HTML"]},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"}}},"x-kubernetes-list-type":"atomic"},"victoropsConfigs":{"description":"victoropsConfigs defines the list of VictorOps configurations.","type":"array","items":{"description":"VictorOpsConfig configures notifications via VictorOps.\nSee https://prometheus.io/docs/alerting/latest/configuration/#victorops_config","type":"object","required":["routingKey"],"properties":{"apiKey":{"description":"apiKey defines the secret's key that contains the API key to use when talking to the VictorOps API.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"apiUrl":{"description":"apiUrl defines the VictorOps API URL.\nWhen not specified, defaults to the standard VictorOps API endpoint.","type":"string","pattern":"^https?://.+$"},"customFields":{"description":"customFields defines additional custom fields for notification.\nThese provide extra metadata that will be included with the VictorOps incident.","type":"array","items":{"description":"KeyValue defines a (key, value) tuple.","type":"object","required":["key","value"],"properties":{"key":{"description":"key defines the key of the tuple.\nThis is the identifier or name part of the key-value pair.","type":"string","minLength":1},"value":{"description":"value defines the value of the tuple.\nThis is the data or content associated with the key.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"entityDisplayName":{"description":"entityDisplayName contains a summary of the alerted problem.\nThis appears as the main title or identifier for the incident.","type":"string","minLength":1},"httpConfig":{"description":"httpConfig defines the HTTP client's configuration for VictorOps API requests.","type":"object","properties":{"authorization":{"description":"authorization defines the authorization header configuration for the client.\nThis is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the basic authentication credentials for the client.\nThis is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client\nfor authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects specifies whether the client should follow HTTP 3xx redirects.\nWhen true, the client will automatically follow redirect responses.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 client credentials used to fetch a token for the targets.\nThis enables OAuth2 authentication flow for HTTP requests.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyURL":{"description":"proxyURL defines an optional proxy URL for HTTP requests.\nIf defined, this field takes precedence over `proxyUrl`.","type":"string"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for the client.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"messageType":{"description":"messageType describes the behavior of the alert.\nValid values are \"CRITICAL\", \"WARNING\", and \"INFO\".","type":"string","minLength":1},"monitoringTool":{"description":"monitoringTool defines the monitoring tool the state message is from.\nThis helps identify the source system that generated the alert.","type":"string","minLength":1},"routingKey":{"description":"routingKey defines a key used to map the alert to a team.\nThis determines which VictorOps team will receive the alert notification.","type":"string","minLength":1},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"},"stateMessage":{"description":"stateMessage contains a long explanation of the alerted problem.\nThis provides detailed context about the incident.","type":"string","minLength":1}}},"x-kubernetes-list-type":"atomic"},"webexConfigs":{"description":"webexConfigs defines the list of Webex configurations.","type":"array","items":{"description":"WebexConfig configures notification via Cisco Webex\nSee https://prometheus.io/docs/alerting/latest/configuration/#webex_config","type":"object","required":["roomID"],"properties":{"apiURL":{"description":"apiURL defines the Webex Teams API URL i.e. https://webexapis.com/v1/messages","type":"string","pattern":"^https?://.+$"},"httpConfig":{"description":"httpConfig defines the HTTP client's configuration.","type":"object","properties":{"authorization":{"description":"authorization defines the authorization header configuration for the client.\nThis is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the basic authentication credentials for the client.\nThis is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client\nfor authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects specifies whether the client should follow HTTP 3xx redirects.\nWhen true, the client will automatically follow redirect responses.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 client credentials used to fetch a token for the targets.\nThis enables OAuth2 authentication flow for HTTP requests.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyURL":{"description":"proxyURL defines an optional proxy URL for HTTP requests.\nIf defined, this field takes precedence over `proxyUrl`.","type":"string"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for the client.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"message":{"description":"message defines the message template","type":"string"},"roomID":{"description":"roomID defines the ID of the Webex Teams room where to send the messages.","type":"string","minLength":1},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"}}},"x-kubernetes-list-type":"atomic"},"webhookConfigs":{"description":"webhookConfigs defines the List of webhook configurations.","type":"array","items":{"description":"WebhookConfig configures notifications via a generic receiver supporting the webhook payload.\nSee https://prometheus.io/docs/alerting/latest/configuration/#webhook_config","type":"object","properties":{"httpConfig":{"description":"httpConfig defines the HTTP client configuration for webhook requests.","type":"object","properties":{"authorization":{"description":"authorization defines the authorization header configuration for the client.\nThis is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the basic authentication credentials for the client.\nThis is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client\nfor authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects specifies whether the client should follow HTTP 3xx redirects.\nWhen true, the client will automatically follow redirect responses.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 client credentials used to fetch a token for the targets.\nThis enables OAuth2 authentication flow for HTTP requests.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyURL":{"description":"proxyURL defines an optional proxy URL for HTTP requests.\nIf defined, this field takes precedence over `proxyUrl`.","type":"string"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for the client.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"maxAlerts":{"description":"maxAlerts defines the maximum number of alerts to be sent per webhook message.\nWhen 0, all alerts are included in the webhook payload.","type":"integer","format":"int32","minimum":0},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"},"timeout":{"description":"timeout defines the maximum time to wait for a webhook request to complete,\nbefore failing the request and allowing it to be retried.\nIt requires Alertmanager >= v0.28.0.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"url":{"description":"url defines the URL to send HTTP POST requests to.\nurlSecret takes precedence over url. One of urlSecret and url should be defined.","type":"string"},"urlSecret":{"description":"urlSecret defines the secret's key that contains the webhook URL to send HTTP requests to.\nurlSecret takes precedence over url. One of urlSecret and url should be defined.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"wechatConfigs":{"description":"wechatConfigs defines the list of WeChat configurations.","type":"array","items":{"description":"WeChatConfig configures notifications via WeChat.\nSee https://prometheus.io/docs/alerting/latest/configuration/#wechat_config","type":"object","properties":{"agentID":{"description":"agentID defines the application agent ID within WeChat Work.\nThis identifies which WeChat Work application will send the notifications.","type":"string"},"apiSecret":{"description":"apiSecret defines the secret's key that contains the WeChat API key.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"apiURL":{"description":"apiURL defines the WeChat API URL.\nWhen not specified, defaults to the standard WeChat Work API endpoint.","type":"string","pattern":"^https?://.+$"},"corpID":{"description":"corpID defines the corp id for authentication.\nThis is the unique identifier for your WeChat Work organization.","type":"string"},"httpConfig":{"description":"httpConfig defines the HTTP client configuration for WeChat API requests.","type":"object","properties":{"authorization":{"description":"authorization defines the authorization header configuration for the client.\nThis is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the basic authentication credentials for the client.\nThis is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerTokenSecret":{"description":"bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client\nfor authentication.\nThe secret needs to be in the same namespace as the AlertmanagerConfig\nobject and accessible by the Prometheus Operator.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHttp2":{"description":"enableHttp2 can be used to disable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects specifies whether the client should follow HTTP 3xx redirects.\nWhen true, the client will automatically follow redirect responses.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the OAuth2 client credentials used to fetch a token for the targets.\nThis enables OAuth2 authentication flow for HTTP requests.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyURL":{"description":"proxyURL defines an optional proxy URL for HTTP requests.\nIf defined, this field takes precedence over `proxyUrl`.","type":"string"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration for the client.\nThis includes settings for certificates, CA validation, and TLS protocol options.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"message":{"description":"message defines the API request data as defined by the WeChat API.\nThis contains the actual notification content to be sent.","type":"string"},"messageType":{"description":"messageType defines the type of message to send.\nValid values include \"text\", \"markdown\", and other WeChat Work supported message types.","type":"string"},"sendResolved":{"description":"sendResolved defines whether or not to notify about resolved alerts.","type":"boolean"},"toParty":{"description":"toParty defines the target department(s) to receive the notification.\nCan be a single department ID or multiple department IDs separated by '|'.","type":"string"},"toTag":{"description":"toTag defines the target tag(s) to receive the notification.\nCan be a single tag ID or multiple tag IDs separated by '|'.","type":"string"},"toUser":{"description":"toUser defines the target user(s) to receive the notification.\nCan be a single user ID or multiple user IDs separated by '|'.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"route":{"description":"route defines the Alertmanager route definition for alerts matching the resource's\nnamespace. If present, it will be added to the generated Alertmanager\nconfiguration as a first-level route.","type":"object","properties":{"activeTimeIntervals":{"description":"activeTimeIntervals is a list of MuteTimeInterval names when this route should be active.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"continue":{"description":"continue defines the boolean indicating whether an alert should continue matching subsequent\nsibling nodes. It will always be overridden to true for the first-level\nroute by the Prometheus operator.","type":"boolean"},"groupBy":{"description":"groupBy defines the list of labels to group by.\nLabels must not be repeated (unique list).\nSpecial label \"...\" (aggregate by all possible labels), if provided, must be the only element in the list.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"groupInterval":{"description":"groupInterval defines how long to wait before sending an updated notification.\nMust match the regular expression`^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$`\nExample: \"5m\"","type":"string"},"groupWait":{"description":"groupWait defines how long to wait before sending the initial notification.\nMust match the regular expression`^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$`\nExample: \"30s\"","type":"string"},"matchers":{"description":"matchers defines the list of matchers that the alert's labels should match. For the first\nlevel route, the operator removes any existing equality and regexp\nmatcher on the `namespace` label and adds a `namespace: <object\nnamespace>` matcher.","type":"array","items":{"description":"Matcher defines how to match on alert's labels.","type":"object","required":["name"],"properties":{"matchType":{"description":"matchType defines the match operation available with AlertManager >= v0.22.0.\nTakes precedence over Regex (deprecated) if non-empty.\nValid values: \"=\" (equality), \"!=\" (inequality), \"=~\" (regex match), \"!~\" (regex non-match).","type":"string","enum":["!=","=","=~","!~"]},"name":{"description":"name defines the label to match.\nThis specifies which alert label should be evaluated.","type":"string","minLength":1},"regex":{"description":"regex defines whether to match on equality (false) or regular-expression (true).\nDeprecated: for AlertManager >= v0.22.0, `matchType` should be used instead.","type":"boolean"},"value":{"description":"value defines the label value to match.\nThis is the expected value for the specified label.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"muteTimeIntervals":{"description":"muteTimeIntervals is a list of MuteTimeInterval names that will mute this route when matched,","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"receiver":{"description":"receiver defines the name of the receiver for this route. If not empty, it should be listed in\nthe `receivers` field.","type":"string"},"repeatInterval":{"description":"repeatInterval defines how long to wait before repeating the last notification.\nMust match the regular expression`^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$`\nExample: \"4h\"","type":"string"},"routes":{"description":"routes defines the child routes.","type":"array","items":{"x-kubernetes-preserve-unknown-fields":true},"x-kubernetes-list-type":"atomic"}}}}},"status":{"description":"status defines the status subresource. It is under active development and is updated only when the\n\"StatusForConfigurationResources\" feature gate is enabled.\n\nMost recent observed status of the ServiceMonitor. Read-only.\nMore info:\nhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"bindings":{"description":"bindings defines the list of workload resources (Prometheus, PrometheusAgent, ThanosRuler or Alertmanager) which select the configuration resource.","type":"array","items":{"description":"WorkloadBinding is a link between a configuration resource and a workload resource.","type":"object","required":["group","name","namespace","resource"],"properties":{"conditions":{"description":"conditions defines the current state of the configuration resource when bound to the referenced Workload object.","type":"array","items":{"description":"ConfigResourceCondition describes the status of configuration resources linked to Prometheus, PrometheusAgent, Alertmanager or ThanosRuler.","type":"object","required":["lastTransitionTime","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime defines the time of the last update to the current status property.","type":"string","format":"date-time"},"message":{"description":"message defines the human-readable message indicating details for the condition's last transition.","type":"string"},"observedGeneration":{"description":"observedGeneration defines the .metadata.generation that the\ncondition was set based upon. For instance, if `.metadata.generation` is\ncurrently 12, but the `.status.conditions[].observedGeneration` is 9, the\ncondition is out of date with respect to the current state of the object.","type":"integer","format":"int64"},"reason":{"description":"reason for the condition's last transition.","type":"string"},"status":{"description":"status of the condition.","type":"string","minLength":1},"type":{"description":"type of the condition being reported.\nCurrently, only \"Accepted\" is supported.","type":"string","minLength":1,"enum":["Accepted"]}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"group":{"description":"group defines the group of the referenced resource.","type":"string","enum":["monitoring.coreos.com"]},"name":{"description":"name defines the name of the referenced object.","type":"string","minLength":1},"namespace":{"description":"namespace defines the namespace of the referenced object.","type":"string","minLength":1},"resource":{"description":"resource defines the type of resource being referenced (e.g. Prometheus, PrometheusAgent, ThanosRuler or Alertmanager).","type":"string","enum":["prometheuses","prometheusagents","thanosrulers","alertmanagers"]}}},"x-kubernetes-list-map-keys":["group","resource","name","namespace"],"x-kubernetes-list-type":"map"}}}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"AlertmanagerConfig","version":"v1alpha1"}],"title":"com.coreos.monitoring.v1alpha1.AlertmanagerConfig"},"com.coreos.monitoring.v1alpha1.AlertmanagerConfigList":{"description":"AlertmanagerConfigList is a list of AlertmanagerConfig","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of alertmanagerconfigs. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.coreos.monitoring.v1alpha1.AlertmanagerConfig"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"AlertmanagerConfigList","version":"v1alpha1"}],"title":"com.coreos.monitoring.v1alpha1.AlertmanagerConfigList"},"com.coreos.monitoring.v1alpha1.PrometheusAgent":{"description":"The `PrometheusAgent` custom resource definition (CRD) defines a desired [Prometheus Agent](https://prometheus.io/blog/2021/11/16/agent/) setup to run in a Kubernetes cluster.\n\nThe CRD is very similar to the `Prometheus` CRD except for features which aren't available in agent mode like rule evaluation, persistent storage and Thanos sidecar.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the specification of the desired behavior of the Prometheus agent. More info:\nhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"additionalArgs":{"description":"additionalArgs allows setting additional arguments for the 'prometheus' container.\n\nIt is intended for e.g. activating hidden flags which are not supported by\nthe dedicated configuration options yet. The arguments are passed as-is to the\nPrometheus container which may cause issues if they are invalid or not supported\nby the given Prometheus version.\n\nIn case of an argument conflict (e.g. an argument which is already set by the\noperator itself) or when providing an invalid argument, the reconciliation will\nfail and an error will be logged.","type":"array","items":{"description":"Argument as part of the AdditionalArgs list.","type":"object","required":["name"],"properties":{"name":{"description":"name of the argument, e.g. \"scrape.discovery-reload-interval\".","type":"string","minLength":1},"value":{"description":"value defines the argument value, e.g. 30s. Can be empty for name-only arguments (e.g. --storage.tsdb.no-lockfile)","type":"string"}}}},"additionalScrapeConfigs":{"description":"additionalScrapeConfigs allows specifying a key of a Secret containing\nadditional Prometheus scrape configurations. Scrape configurations\nspecified are appended to the configurations generated by the Prometheus\nOperator. Job configurations specified must have the form as specified\nin the official Prometheus documentation:\nhttps://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config.\nAs scrape configs are appended, the user is responsible to make sure it\nis valid. Note that using this feature may expose the possibility to\nbreak upgrades of Prometheus. It is advised to review Prometheus release\nnotes to ensure that no incompatible scrape configs are going to break\nPrometheus after the upgrade.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"affinity":{"description":"affinity defines the Pods' affinity scheduling rules if specified.","type":"object","properties":{"nodeAffinity":{"description":"Describes node affinity scheduling rules for the pod.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node matches the corresponding matchExpressions; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"An empty preferred scheduling term matches all objects with implicit weight 0\n(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).","type":"object","required":["preference","weight"],"properties":{"preference":{"description":"A node selector term, associated with the corresponding weight.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"description":"Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to an update), the system\nmay or may not try to eventually evict the pod from its node.","type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"description":"Required. A list of node selector terms. The terms are ORed.","type":"array","items":{"description":"A null or empty node selector term matches no objects. The requirements of\nthem are ANDed.\nThe TopologySelectorTerm type implements a subset of the NodeSelectorTerm.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"description":"Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"description":"Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe anti-affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling anti-affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and subtracting\n\"weight\" from the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the anti-affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the anti-affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"apiserverConfig":{"description":"apiserverConfig allows specifying a host and auth methods to access the\nKuberntees API server.\nIf null, Prometheus is assumed to run inside of the cluster: it will\ndiscover the API servers automatically and use the Pod's CA certificate\nand bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/.","type":"object","required":["host"],"properties":{"authorization":{"description":"authorization section for the API server.\n\nCannot be set at the same time as `basicAuth`, `bearerToken`, or\n`bearerTokenFile`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"credentialsFile":{"description":"credentialsFile defines the file to read a secret from, mutually exclusive with `credentials`.","type":"string"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth configuration for the API server.\n\nCannot be set at the same time as `authorization`, `bearerToken`, or\n`bearerTokenFile`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerToken":{"description":"bearerToken is deprecated: this will be removed in a future release.\n *Warning: this field shouldn't be used because the token value appears\nin clear-text. Prefer using `authorization`.*","type":"string"},"bearerTokenFile":{"description":"bearerTokenFile defines the file to read bearer token for accessing apiserver.\n\nCannot be set at the same time as `basicAuth`, `authorization`, or `bearerToken`.\n\nDeprecated: this will be removed in a future release. Prefer using `authorization`.","type":"string"},"host":{"description":"host defines the Kubernetes API address consisting of a hostname or IP address followed\nby an optional port number.","type":"string"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"tlsConfig":{"description":"tlsConfig to use for the API server.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"caFile":{"description":"caFile defines the path to the CA cert in the Prometheus container to use for the targets.","type":"string"},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the client cert file in the Prometheus container for the targets.","type":"string"},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keyFile":{"description":"keyFile defines the path to the client key file in the Prometheus container for the targets.","type":"string"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"arbitraryFSAccessThroughSMs":{"description":"arbitraryFSAccessThroughSMs when true, ServiceMonitor, PodMonitor and Probe object are forbidden to\nreference arbitrary files on the file system of the 'prometheus'\ncontainer.\nWhen a ServiceMonitor's endpoint specifies a `bearerTokenFile` value\n(e.g.  '/var/run/secrets/kubernetes.io/serviceaccount/token'), a\nmalicious target can get access to the Prometheus service account's\ntoken in the Prometheus' scrape request. Setting\n`spec.arbitraryFSAccessThroughSM` to 'true' would prevent the attack.\nUsers should instead provide the credentials using the\n`spec.bearerTokenSecret` field.","type":"object","properties":{"deny":{"description":"deny prevents service monitors from accessing arbitrary files on the file system.\nWhen true, service monitors cannot use file-based configurations like BearerTokenFile\nthat could potentially access sensitive files. When false (default), such access is allowed.\nSetting this to true enhances security by preventing potential credential theft attacks.","type":"boolean"}}},"automountServiceAccountToken":{"description":"automountServiceAccountToken defines whether a service account token should be automatically mounted in the pod.\nIf the field isn't set, the operator mounts the service account token by default.\n\n**Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.\nIt is possible to use strategic merge patch to project the service account token into the 'prometheus' container.","type":"boolean"},"bodySizeLimit":{"description":"bodySizeLimit defines per-scrape on response body size.\nOnly valid in Prometheus versions 2.45.0 and newer.\n\nNote that the global limit only applies to scrape objects that don't specify an explicit limit value.\nIf you want to enforce a maximum limit for all scrape objects, refer to enforcedBodySizeLimit.","type":"string","pattern":"(^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$"},"configMaps":{"description":"configMaps defines a list of ConfigMaps in the same namespace as the Prometheus\nobject, which shall be mounted into the Prometheus Pods.\nEach ConfigMap is added to the StatefulSet definition as a volume named `configmap-<configmap-name>`.\nThe ConfigMaps are mounted into /etc/prometheus/configmaps/<configmap-name> in the 'prometheus' container.","type":"array","items":{"type":"string"}},"containers":{"description":"containers allows injecting additional containers or modifying operator\ngenerated containers. This can be used to allow adding an authentication\nproxy to the Pods or to change the behavior of an operator generated\ncontainer. Containers described here modify an operator generated\ncontainer if they share the same name and modifications are done via a\nstrategic merge patch.\n\nThe names of containers managed by the operator are:\n* `prometheus`\n* `config-reloader`\n* `thanos-sidecar`\n\nOverriding containers is entirely outside the scope of what the\nmaintainers will support and by doing so, you accept that this behaviour\nmay break at any time without notice.","type":"array","items":{"description":"A single application container that you want to run within a pod.","type":"object","required":["name"],"properties":{"args":{"description":"Arguments to the entrypoint.\nThe container image's CMD is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"description":"Entrypoint array. Not executed within a shell.\nThe container image's ENTRYPOINT is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"description":"List of environment variables to set in the container.\nCannot be updated.","type":"array","items":{"description":"EnvVar represents an environment variable present in a Container.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"value":{"description":"Variable references $(VAR_NAME) are expanded\nusing the previously defined environment variables in the container and\nany service environment variables. If a variable cannot be resolved,\nthe reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.\n\"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\".\nEscaped references will never be expanded, regardless of whether the variable\nexists or not.\nDefaults to \"\".","type":"string"},"valueFrom":{"description":"Source for the environment variable's value. Cannot be used if value is not empty.","type":"object","properties":{"configMapKeyRef":{"description":"Selects a key of a ConfigMap.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"description":"Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"description":"FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.","type":"object","required":["key","path","volumeName"],"properties":{"key":{"description":"The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.","type":"string"},"optional":{"description":"Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.","type":"boolean"},"path":{"description":"The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.","type":"string"},"volumeName":{"description":"The name of the volume mount containing the env file.","type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"description":"Selects a key of a secret in the pod's namespace","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"envFrom":{"description":"List of sources to populate environment variables in the container.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nWhen a key exists in multiple\nsources, the value associated with the last source will take precedence.\nValues defined by an Env with a duplicate key will take precedence.\nCannot be updated.","type":"array","items":{"description":"EnvFromSource represents the source of a set of ConfigMaps or Secrets","type":"object","properties":{"configMapRef":{"description":"The ConfigMap to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"description":"Optional text to prepend to the name of each environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"secretRef":{"description":"The Secret to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"image":{"description":"Container image name.\nMore info: https://kubernetes.io/docs/concepts/containers/images\nThis field is optional to allow higher level config management to default or override\ncontainer images in workload controllers like Deployments and StatefulSets.","type":"string"},"imagePullPolicy":{"description":"Image pull policy.\nOne of Always, Never, IfNotPresent.\nDefaults to Always if :latest tag is specified, or IfNotPresent otherwise.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/containers/images#updating-images","type":"string"},"lifecycle":{"description":"Actions that the management system should take in response to container lifecycle events.\nCannot be updated.","type":"object","properties":{"postStart":{"description":"PostStart is called immediately after a container is created. If the handler fails,\nthe container is terminated and restarted according to its restart policy.\nOther management of the container blocks until the hook completes.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"preStop":{"description":"PreStop is called immediately before a container is terminated due to an\nAPI request or management event such as liveness/startup probe failure,\npreemption, resource contention, etc. The handler is not called if the\ncontainer crashes or exits. The Pod's termination grace period countdown begins before the\nPreStop hook is executed. Regardless of the outcome of the handler, the\ncontainer will eventually terminate within the Pod's termination grace\nperiod (unless delayed by finalizers). Other management of the container blocks until the hook completes\nor until the termination grace period is reached.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"stopSignal":{"description":"StopSignal defines which signal will be sent to a container when it is being stopped.\nIf not specified, the default is defined by the container runtime in use.\nStopSignal can only be set for Pods with a non-empty .spec.os.name","type":"string"}}},"livenessProbe":{"description":"Periodic probe of container liveness.\nContainer will be restarted if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"name":{"description":"Name of the container specified as a DNS_LABEL.\nEach container in a pod must have a unique name (DNS_LABEL).\nCannot be updated.","type":"string"},"ports":{"description":"List of ports to expose from the container. Not specifying a port here\nDOES NOT prevent that port from being exposed. Any port which is\nlistening on the default \"0.0.0.0\" address inside a container will be\naccessible from the network.\nModifying this array with strategic merge patch may corrupt the data.\nFor more information See https://github.com/kubernetes/kubernetes/issues/108255.\nCannot be updated.","type":"array","items":{"description":"ContainerPort represents a network port in a single container.","type":"object","required":["containerPort"],"properties":{"containerPort":{"description":"Number of port to expose on the pod's IP address.\nThis must be a valid port number, 0 < x < 65536.","type":"integer","format":"int32"},"hostIP":{"description":"What host IP to bind the external port to.","type":"string"},"hostPort":{"description":"Number of port to expose on the host.\nIf specified, this must be a valid port number, 0 < x < 65536.\nIf HostNetwork is specified, this must match ContainerPort.\nMost containers do not need this.","type":"integer","format":"int32"},"name":{"description":"If specified, this must be an IANA_SVC_NAME and unique within the pod. Each\nnamed port in a pod must have a unique name. Name for the port that can be\nreferred to by services.","type":"string"},"protocol":{"description":"Protocol for port. Must be UDP, TCP, or SCTP.\nDefaults to \"TCP\".","type":"string"}}},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map"},"readinessProbe":{"description":"Periodic probe of container service readiness.\nContainer will be removed from service endpoints if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"resizePolicy":{"description":"Resources resize policy for the container.","type":"array","items":{"description":"ContainerResizePolicy represents resource resize policy for the container.","type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"description":"Name of the resource to which this resource resize policy applies.\nSupported values: cpu, memory.","type":"string"},"restartPolicy":{"description":"Restart policy to apply when specified resource is resized.\nIf not specified, it defaults to NotRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Compute Resources required by this container.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"restartPolicy":{"description":"RestartPolicy defines the restart behavior of individual containers in a pod.\nThis overrides the pod-level restart policy. When this field is not specified,\nthe restart behavior is defined by the Pod's restart policy and the container type.\nAdditionally, setting the RestartPolicy as \"Always\" for the init container will\nhave the following effect:\nthis init container will be continually restarted on\nexit until all regular containers have terminated. Once all regular\ncontainers have completed, all init containers with restartPolicy \"Always\"\nwill be shut down. This lifecycle differs from normal init containers and\nis often referred to as a \"sidecar\" container. Although this init\ncontainer still starts in the init container sequence, it does not wait\nfor the container to complete before proceeding to the next init\ncontainer. Instead, the next init container starts immediately after this\ninit container is started, or after any startupProbe has successfully\ncompleted.","type":"string"},"restartPolicyRules":{"description":"Represents a list of rules to be checked to determine if the\ncontainer should be restarted on exit. The rules are evaluated in\norder. Once a rule matches a container exit condition, the remaining\nrules are ignored. If no rule matches the container exit condition,\nthe Container-level restart policy determines the whether the container\nis restarted or not. Constraints on the rules:\n- At most 20 rules are allowed.\n- Rules can have the same action.\n- Identical rules are not forbidden in validations.\nWhen rules are specified, container MUST set RestartPolicy explicitly\neven it if matches the Pod's RestartPolicy.","type":"array","items":{"description":"ContainerRestartRule describes how a container exit is handled.","type":"object","required":["action"],"properties":{"action":{"description":"Specifies the action taken on a container exit if the requirements\nare satisfied. The only possible value is \"Restart\" to restart the\ncontainer.","type":"string"},"exitCodes":{"description":"Represents the exit codes to check on container exits.","type":"object","required":["operator"],"properties":{"operator":{"description":"Represents the relationship between the container exit code(s) and the\nspecified values. Possible values are:\n- In: the requirement is satisfied if the container exit code is in the\n  set of specified values.\n- NotIn: the requirement is satisfied if the container exit code is\n  not in the set of specified values.","type":"string"},"values":{"description":"Specifies the set of values to check for container exit codes.\nAt most 255 elements are allowed.","type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}}}},"x-kubernetes-list-type":"atomic"},"securityContext":{"description":"SecurityContext defines the security options the container should be run with.\nIf set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","type":"object","properties":{"allowPrivilegeEscalation":{"description":"AllowPrivilegeEscalation controls whether a process can gain more\nprivileges than its parent process. This bool directly controls if\nthe no_new_privs flag will be set on the container process.\nAllowPrivilegeEscalation is true always when the container is:\n1) run as Privileged\n2) has CAP_SYS_ADMIN\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by this container. If set, this profile\noverrides the pod's appArmorProfile.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".","type":"string"},"type":{"description":"type indicates which kind of AppArmor profile will be applied.\nValid options are:\n  Localhost - a profile pre-loaded on the node.\n  RuntimeDefault - the container runtime's default profile.\n  Unconfined - no AppArmor enforcement.","type":"string"}}},"capabilities":{"description":"The capabilities to add/drop when running containers.\nDefaults to the default set of capabilities granted by the container runtime.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"add":{"description":"Added capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"description":"Removed capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"description":"Run container in privileged mode.\nProcesses in privileged containers are essentially equivalent to root on the host.\nDefaults to false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"procMount":{"description":"procMount denotes the type of proc mount to use for the containers.\nThe default value is Default which uses the container runtime defaults for\nreadonly paths and masked paths.\nThis requires the ProcMountType feature flag to be enabled.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"readOnlyRootFilesystem":{"description":"Whether this container has a read-only root filesystem.\nDefault is false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to the container.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by this container. If seccomp options are\nprovided at both the pod & container level, the container options\noverride the pod options.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"windowsOptions":{"description":"The Windows specific settings applied to all containers.\nIf unspecified, the options from the PodSecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.","type":"object","properties":{"gmsaCredentialSpec":{"description":"GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.","type":"string"},"gmsaCredentialSpecName":{"description":"GMSACredentialSpecName is the name of the GMSA credential spec to use.","type":"string"},"hostProcess":{"description":"HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.","type":"boolean"},"runAsUserName":{"description":"The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"string"}}}}},"startupProbe":{"description":"StartupProbe indicates that the Pod has successfully initialized.\nIf specified, no other probes are executed until this completes successfully.\nIf this probe fails, the Pod will be restarted, just as if the livenessProbe failed.\nThis can be used to provide different probe parameters at the beginning of a Pod's lifecycle,\nwhen it might take a long time to load data or warm a cache, than during steady-state operation.\nThis cannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"stdin":{"description":"Whether this container should allocate a buffer for stdin in the container runtime. If this\nis not set, reads from stdin in the container will always result in EOF.\nDefault is false.","type":"boolean"},"stdinOnce":{"description":"Whether the container runtime should close the stdin channel after it has been opened by\na single attach. When stdin is true the stdin stream will remain open across multiple attach\nsessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the\nfirst client attaches to stdin, and then remains open and accepts data until the client disconnects,\nat which time stdin is closed and remains closed until the container is restarted. If this\nflag is false, a container processes that reads from stdin will never receive an EOF.\nDefault is false","type":"boolean"},"terminationMessagePath":{"description":"Optional: Path at which the file to which the container's termination message\nwill be written is mounted into the container's filesystem.\nMessage written is intended to be brief final status, such as an assertion failure message.\nWill be truncated by the node if greater than 4096 bytes. The total message length across\nall containers will be limited to 12kb.\nDefaults to /dev/termination-log.\nCannot be updated.","type":"string"},"terminationMessagePolicy":{"description":"Indicate how the termination message should be populated. File will use the contents of\nterminationMessagePath to populate the container status message on both success and failure.\nFallbackToLogsOnError will use the last chunk of container log output if the termination\nmessage file is empty and the container exited with an error.\nThe log output is limited to 2048 bytes or 80 lines, whichever is smaller.\nDefaults to File.\nCannot be updated.","type":"string"},"tty":{"description":"Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.\nDefault is false.","type":"boolean"},"volumeDevices":{"description":"volumeDevices is the list of block devices to be used by the container.","type":"array","items":{"description":"volumeDevice describes a mapping of a raw block device within a container.","type":"object","required":["devicePath","name"],"properties":{"devicePath":{"description":"devicePath is the path inside of the container that the device will be mapped to.","type":"string"},"name":{"description":"name must match the name of a persistentVolumeClaim in the pod","type":"string"}}},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map"},"volumeMounts":{"description":"Pod volumes to mount into the container's filesystem.\nCannot be updated.","type":"array","items":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["mountPath","name"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted.  Must\nnot contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host\nto container and the other way around.\nWhen not set, MountPropagationNone is used.\nThis field is beta in 1.10.\nWhen RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified\n(which defaults to None).","type":"string"},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified).\nDefaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled\nrecursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made\nrecursively read-only.  If this field is set to IfPossible, the mount is made\nrecursively read-only, if it is supported by the container runtime.  If this\nfield is set to Enabled, the mount is made recursively read-only if it is\nsupported by the container runtime, otherwise the pod will not be started and\nan error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to\nNone (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted.\nDefaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted.\nBehaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.\nDefaults to \"\" (volume's root).\nSubPathExpr and SubPath are mutually exclusive.","type":"string"}}},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map"},"workingDir":{"description":"Container's working directory.\nIf not specified, the container runtime's default will be used, which\nmight be configured in the container image.\nCannot be updated.","type":"string"}}}},"convertClassicHistogramsToNHCB":{"description":"convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native\nhistogram with custom buckets.\n\nIt requires Prometheus >= v3.4.0.","type":"boolean"},"dnsConfig":{"description":"dnsConfig defines the DNS configuration for the pods.","type":"object","properties":{"nameservers":{"description":"nameservers defines the list of DNS name server IP addresses.\nThis will be appended to the base nameservers generated from DNSPolicy.","type":"array","items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"},"options":{"description":"options defines the list of DNS resolver options.\nThis will be merged with the base options generated from DNSPolicy.\nResolution options given in Options\nwill override those that appear in the base DNSPolicy.","type":"array","items":{"description":"PodDNSConfigOption defines DNS resolver options of a pod.","type":"object","required":["name"],"properties":{"name":{"description":"name is required and must be unique.","type":"string","minLength":1},"value":{"description":"value is optional.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"searches":{"description":"searches defines the list of DNS search domains for host-name lookup.\nThis will be appended to the base search paths generated from DNSPolicy.","type":"array","items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"}}},"dnsPolicy":{"description":"dnsPolicy defines the DNS policy for the pods.","type":"string","enum":["ClusterFirstWithHostNet","ClusterFirst","Default","None"]},"enableFeatures":{"description":"enableFeatures enables access to Prometheus feature flags. By default, no features are enabled.\n\nEnabling features which are disabled by default is entirely outside the\nscope of what the maintainers will support and by doing so, you accept\nthat this behaviour may break at any time without notice.\n\nFor more information see https://prometheus.io/docs/prometheus/latest/feature_flags/","type":"array","items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"},"enableOTLPReceiver":{"description":"enableOTLPReceiver defines the Prometheus to be used as a receiver for the OTLP Metrics protocol.\n\nNote that the OTLP receiver endpoint is automatically enabled if `.spec.otlpConfig` is defined.\n\nIt requires Prometheus >= v2.47.0.","type":"boolean"},"enableRemoteWriteReceiver":{"description":"enableRemoteWriteReceiver defines the Prometheus to be used as a receiver for the Prometheus remote\nwrite protocol.\n\nWARNING: This is not considered an efficient way of ingesting samples.\nUse it with caution for specific low-volume use cases.\nIt is not suitable for replacing the ingestion via scraping and turning\nPrometheus into a push-based metrics collection system.\nFor more information see https://prometheus.io/docs/prometheus/latest/querying/api/#remote-write-receiver\n\nIt requires Prometheus >= v2.33.0.","type":"boolean"},"enableServiceLinks":{"description":"enableServiceLinks defines whether information about services should be injected into pod's environment variables","type":"boolean"},"enforcedBodySizeLimit":{"description":"enforcedBodySizeLimit when defined specifies a global limit on the size\nof uncompressed response body that will be accepted by Prometheus.\nTargets responding with a body larger than this many bytes will cause\nthe scrape to fail.\n\nIt requires Prometheus >= v2.28.0.\n\nWhen both `enforcedBodySizeLimit` and `bodySizeLimit` are defined and greater than zero, the following rules apply:\n* Scrape objects without a defined bodySizeLimit value will inherit the global bodySizeLimit value (Prometheus >= 2.45.0) or the enforcedBodySizeLimit value (Prometheus < v2.45.0).\n  If Prometheus version is >= 2.45.0 and the `enforcedBodySizeLimit` is greater than the `bodySizeLimit`, the `bodySizeLimit` will be set to `enforcedBodySizeLimit`.\n* Scrape objects with a bodySizeLimit value less than or equal to enforcedBodySizeLimit keep their specific value.\n* Scrape objects with a bodySizeLimit value greater than enforcedBodySizeLimit are set to enforcedBodySizeLimit.","type":"string","pattern":"(^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$"},"enforcedKeepDroppedTargets":{"description":"enforcedKeepDroppedTargets when defined specifies a global limit on the number of targets\ndropped by relabeling that will be kept in memory. The value overrides\nany `spec.keepDroppedTargets` set by\nServiceMonitor, PodMonitor, Probe objects unless `spec.keepDroppedTargets` is\ngreater than zero and less than `spec.enforcedKeepDroppedTargets`.\n\nIt requires Prometheus >= v2.47.0.\n\nWhen both `enforcedKeepDroppedTargets` and `keepDroppedTargets` are defined and greater than zero, the following rules apply:\n* Scrape objects without a defined keepDroppedTargets value will inherit the global keepDroppedTargets value (Prometheus >= 2.45.0) or the enforcedKeepDroppedTargets value (Prometheus < v2.45.0).\n  If Prometheus version is >= 2.45.0 and the `enforcedKeepDroppedTargets` is greater than the `keepDroppedTargets`, the `keepDroppedTargets` will be set to `enforcedKeepDroppedTargets`.\n* Scrape objects with a keepDroppedTargets value less than or equal to enforcedKeepDroppedTargets keep their specific value.\n* Scrape objects with a keepDroppedTargets value greater than enforcedKeepDroppedTargets are set to enforcedKeepDroppedTargets.","type":"integer","format":"int64"},"enforcedLabelLimit":{"description":"enforcedLabelLimit when defined specifies a global limit on the number\nof labels per sample. The value overrides any `spec.labelLimit` set by\nServiceMonitor, PodMonitor, Probe objects unless `spec.labelLimit` is\ngreater than zero and less than `spec.enforcedLabelLimit`.\n\nIt requires Prometheus >= v2.27.0.\n\nWhen both `enforcedLabelLimit` and `labelLimit` are defined and greater than zero, the following rules apply:\n* Scrape objects without a defined labelLimit value will inherit the global labelLimit value (Prometheus >= 2.45.0) or the enforcedLabelLimit value (Prometheus < v2.45.0).\n  If Prometheus version is >= 2.45.0 and the `enforcedLabelLimit` is greater than the `labelLimit`, the `labelLimit` will be set to `enforcedLabelLimit`.\n* Scrape objects with a labelLimit value less than or equal to enforcedLabelLimit keep their specific value.\n* Scrape objects with a labelLimit value greater than enforcedLabelLimit are set to enforcedLabelLimit.","type":"integer","format":"int64"},"enforcedLabelNameLengthLimit":{"description":"enforcedLabelNameLengthLimit when defined specifies a global limit on the length\nof labels name per sample. The value overrides any `spec.labelNameLengthLimit` set by\nServiceMonitor, PodMonitor, Probe objects unless `spec.labelNameLengthLimit` is\ngreater than zero and less than `spec.enforcedLabelNameLengthLimit`.\n\nIt requires Prometheus >= v2.27.0.\n\nWhen both `enforcedLabelNameLengthLimit` and `labelNameLengthLimit` are defined and greater than zero, the following rules apply:\n* Scrape objects without a defined labelNameLengthLimit value will inherit the global labelNameLengthLimit value (Prometheus >= 2.45.0) or the enforcedLabelNameLengthLimit value (Prometheus < v2.45.0).\n  If Prometheus version is >= 2.45.0 and the `enforcedLabelNameLengthLimit` is greater than the `labelNameLengthLimit`, the `labelNameLengthLimit` will be set to `enforcedLabelNameLengthLimit`.\n* Scrape objects with a labelNameLengthLimit value less than or equal to enforcedLabelNameLengthLimit keep their specific value.\n* Scrape objects with a labelNameLengthLimit value greater than enforcedLabelNameLengthLimit are set to enforcedLabelNameLengthLimit.","type":"integer","format":"int64"},"enforcedLabelValueLengthLimit":{"description":"enforcedLabelValueLengthLimit when not null defines a global limit on the length\nof labels value per sample. The value overrides any `spec.labelValueLengthLimit` set by\nServiceMonitor, PodMonitor, Probe objects unless `spec.labelValueLengthLimit` is\ngreater than zero and less than `spec.enforcedLabelValueLengthLimit`.\n\nIt requires Prometheus >= v2.27.0.\n\nWhen both `enforcedLabelValueLengthLimit` and `labelValueLengthLimit` are defined and greater than zero, the following rules apply:\n* Scrape objects without a defined labelValueLengthLimit value will inherit the global labelValueLengthLimit value (Prometheus >= 2.45.0) or the enforcedLabelValueLengthLimit value (Prometheus < v2.45.0).\n  If Prometheus version is >= 2.45.0 and the `enforcedLabelValueLengthLimit` is greater than the `labelValueLengthLimit`, the `labelValueLengthLimit` will be set to `enforcedLabelValueLengthLimit`.\n* Scrape objects with a labelValueLengthLimit value less than or equal to enforcedLabelValueLengthLimit keep their specific value.\n* Scrape objects with a labelValueLengthLimit value greater than enforcedLabelValueLengthLimit are set to enforcedLabelValueLengthLimit.","type":"integer","format":"int64"},"enforcedNamespaceLabel":{"description":"enforcedNamespaceLabel when not empty, a label will be added to:\n\n1. All metrics scraped from `ServiceMonitor`, `PodMonitor`, `Probe` and `ScrapeConfig` objects.\n2. All metrics generated from recording rules defined in `PrometheusRule` objects.\n3. All alerts generated from alerting rules defined in `PrometheusRule` objects.\n4. All vector selectors of PromQL expressions defined in `PrometheusRule` objects.\n\nThe label will not added for objects referenced in `spec.excludedFromEnforcement`.\n\nThe label's name is this field's value.\nThe label's value is the namespace of the `ServiceMonitor`,\n`PodMonitor`, `Probe`, `PrometheusRule` or `ScrapeConfig` object.","type":"string"},"enforcedSampleLimit":{"description":"enforcedSampleLimit when defined specifies a global limit on the number\nof scraped samples that will be accepted. This overrides any\n`spec.sampleLimit` set by ServiceMonitor, PodMonitor, Probe objects\nunless `spec.sampleLimit` is greater than zero and less than\n`spec.enforcedSampleLimit`.\n\nIt is meant to be used by admins to keep the overall number of\nsamples/series under a desired limit.\n\nWhen both `enforcedSampleLimit` and `sampleLimit` are defined and greater than zero, the following rules apply:\n* Scrape objects without a defined sampleLimit value will inherit the global sampleLimit value (Prometheus >= 2.45.0) or the enforcedSampleLimit value (Prometheus < v2.45.0).\n  If Prometheus version is >= 2.45.0 and the `enforcedSampleLimit` is greater than the `sampleLimit`, the `sampleLimit` will be set to `enforcedSampleLimit`.\n* Scrape objects with a sampleLimit value less than or equal to enforcedSampleLimit keep their specific value.\n* Scrape objects with a sampleLimit value greater than enforcedSampleLimit are set to enforcedSampleLimit.","type":"integer","format":"int64"},"enforcedTargetLimit":{"description":"enforcedTargetLimit when defined specifies a global limit on the number\nof scraped targets. The value overrides any `spec.targetLimit` set by\nServiceMonitor, PodMonitor, Probe objects unless `spec.targetLimit` is\ngreater than zero and less than `spec.enforcedTargetLimit`.\n\nIt is meant to be used by admins to to keep the overall number of\ntargets under a desired limit.\n\nWhen both `enforcedTargetLimit` and `targetLimit` are defined and greater than zero, the following rules apply:\n* Scrape objects without a defined targetLimit value will inherit the global targetLimit value (Prometheus >= 2.45.0) or the enforcedTargetLimit value (Prometheus < v2.45.0).\n  If Prometheus version is >= 2.45.0 and the `enforcedTargetLimit` is greater than the `targetLimit`, the `targetLimit` will be set to `enforcedTargetLimit`.\n* Scrape objects with a targetLimit value less than or equal to enforcedTargetLimit keep their specific value.\n* Scrape objects with a targetLimit value greater than enforcedTargetLimit are set to enforcedTargetLimit.","type":"integer","format":"int64"},"excludedFromEnforcement":{"description":"excludedFromEnforcement defines the list of references to PodMonitor, ServiceMonitor, Probe and PrometheusRule objects\nto be excluded from enforcing a namespace label of origin.\n\nIt is only applicable if `spec.enforcedNamespaceLabel` set to true.","type":"array","items":{"description":"ObjectReference references a PodMonitor, ServiceMonitor, Probe or PrometheusRule object.","type":"object","required":["namespace","resource"],"properties":{"group":{"description":"group of the referent. When not specified, it defaults to `monitoring.coreos.com`","type":"string","enum":["monitoring.coreos.com"]},"name":{"description":"name of the referent. When not set, all resources in the namespace are matched.","type":"string"},"namespace":{"description":"namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string","minLength":1},"resource":{"description":"resource of the referent.","type":"string","enum":["prometheusrules","servicemonitors","podmonitors","probes","scrapeconfigs"]}}}},"externalLabels":{"description":"externalLabels defines the labels to add to any time series or alerts when communicating with\nexternal systems (federation, remote storage, Alertmanager).\nLabels defined by `spec.replicaExternalLabelName` and\n`spec.prometheusExternalLabelName` take precedence over this list.","type":"object","additionalProperties":{"type":"string"}},"externalUrl":{"description":"externalUrl defines the external URL under which the Prometheus service is externally\navailable. This is necessary to generate correct URLs (for instance if\nPrometheus is accessible behind an Ingress resource).","type":"string"},"hostAliases":{"description":"hostAliases defines the optional list of hosts and IPs that will be injected into the Pod's\nhosts file if specified.","type":"array","items":{"description":"HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the\npod's hosts file.","type":"object","required":["hostnames","ip"],"properties":{"hostnames":{"description":"hostnames defines hostnames for the above IP address.","type":"array","items":{"type":"string"}},"ip":{"description":"ip defines the IP address of the host file entry.","type":"string"}}},"x-kubernetes-list-map-keys":["ip"],"x-kubernetes-list-type":"map"},"hostNetwork":{"description":"hostNetwork defines the host's network namespace if true.\n\nMake sure to understand the security implications if you want to enable\nit (https://kubernetes.io/docs/concepts/configuration/overview/ ).\n\nWhen hostNetwork is enabled, this will set the DNS policy to\n`ClusterFirstWithHostNet` automatically (unless `.spec.DNSPolicy` is set\nto a different value).","type":"boolean"},"hostUsers":{"description":"hostUsers supports the user space in Kubernetes.\n\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/\n\nThe feature requires at least Kubernetes 1.28 with the `UserNamespacesSupport` feature gate enabled.\nStarting Kubernetes 1.33, the feature is enabled by default.","type":"boolean"},"ignoreNamespaceSelectors":{"description":"ignoreNamespaceSelectors when true, `spec.namespaceSelector` from all PodMonitor, ServiceMonitor\nand Probe objects will be ignored. They will only discover targets\nwithin the namespace of the PodMonitor, ServiceMonitor and Probe\nobject.","type":"boolean"},"image":{"description":"image defines the container image name for Prometheus. If specified, it takes precedence\nover the `spec.baseImage`, `spec.tag` and `spec.sha` fields.\n\nSpecifying `spec.version` is still necessary to ensure the Prometheus\nOperator knows which version of Prometheus is being configured.\n\nIf neither `spec.image` nor `spec.baseImage` are defined, the operator\nwill use the latest upstream version of Prometheus available at the time\nwhen the operator was released.","type":"string"},"imagePullPolicy":{"description":"imagePullPolicy defines the image pull policy for the 'prometheus', 'init-config-reloader' and 'config-reloader' containers.\nSee https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for more details.","type":"string","enum":["","Always","Never","IfNotPresent"]},"imagePullSecrets":{"description":"imagePullSecrets defines an optional list of references to Secrets in the same namespace\nto use for pulling images from registries.\nSee http://kubernetes.io/docs/user-guide/images#specifying-imagepullsecrets-on-a-pod","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"initContainers":{"description":"initContainers allows injecting initContainers to the Pod definition. Those\ncan be used to e.g.  fetch secrets for injection into the Prometheus\nconfiguration from external sources. Any errors during the execution of\nan initContainer will lead to a restart of the Pod. More info:\nhttps://kubernetes.io/docs/concepts/workloads/pods/init-containers/\nInitContainers described here modify an operator generated init\ncontainers if they share the same name and modifications are done via a\nstrategic merge patch.\n\nThe names of init container name managed by the operator are:\n* `init-config-reloader`.\n\nOverriding init containers is entirely outside the scope of what the\nmaintainers will support and by doing so, you accept that this behaviour\nmay break at any time without notice.","type":"array","items":{"description":"A single application container that you want to run within a pod.","type":"object","required":["name"],"properties":{"args":{"description":"Arguments to the entrypoint.\nThe container image's CMD is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"description":"Entrypoint array. Not executed within a shell.\nThe container image's ENTRYPOINT is used if this is not provided.\nVariable references $(VAR_NAME) are expanded using the container's environment. If a variable\ncannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will\nproduce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless\nof whether the variable exists or not. Cannot be updated.\nMore info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"description":"List of environment variables to set in the container.\nCannot be updated.","type":"array","items":{"description":"EnvVar represents an environment variable present in a Container.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"value":{"description":"Variable references $(VAR_NAME) are expanded\nusing the previously defined environment variables in the container and\nany service environment variables. If a variable cannot be resolved,\nthe reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.\n\"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\".\nEscaped references will never be expanded, regardless of whether the variable\nexists or not.\nDefaults to \"\".","type":"string"},"valueFrom":{"description":"Source for the environment variable's value. Cannot be used if value is not empty.","type":"object","properties":{"configMapKeyRef":{"description":"Selects a key of a ConfigMap.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"description":"Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"description":"FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.","type":"object","required":["key","path","volumeName"],"properties":{"key":{"description":"The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.","type":"string"},"optional":{"description":"Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.","type":"boolean"},"path":{"description":"The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.","type":"string"},"volumeName":{"description":"The name of the volume mount containing the env file.","type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"description":"Selects a key of a secret in the pod's namespace","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"envFrom":{"description":"List of sources to populate environment variables in the container.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nWhen a key exists in multiple\nsources, the value associated with the last source will take precedence.\nValues defined by an Env with a duplicate key will take precedence.\nCannot be updated.","type":"array","items":{"description":"EnvFromSource represents the source of a set of ConfigMaps or Secrets","type":"object","properties":{"configMapRef":{"description":"The ConfigMap to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"description":"Optional text to prepend to the name of each environment variable.\nMay consist of any printable ASCII characters except '='.","type":"string"},"secretRef":{"description":"The Secret to select from","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"image":{"description":"Container image name.\nMore info: https://kubernetes.io/docs/concepts/containers/images\nThis field is optional to allow higher level config management to default or override\ncontainer images in workload controllers like Deployments and StatefulSets.","type":"string"},"imagePullPolicy":{"description":"Image pull policy.\nOne of Always, Never, IfNotPresent.\nDefaults to Always if :latest tag is specified, or IfNotPresent otherwise.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/containers/images#updating-images","type":"string"},"lifecycle":{"description":"Actions that the management system should take in response to container lifecycle events.\nCannot be updated.","type":"object","properties":{"postStart":{"description":"PostStart is called immediately after a container is created. If the handler fails,\nthe container is terminated and restarted according to its restart policy.\nOther management of the container blocks until the hook completes.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"preStop":{"description":"PreStop is called immediately before a container is terminated due to an\nAPI request or management event such as liveness/startup probe failure,\npreemption, resource contention, etc. The handler is not called if the\ncontainer crashes or exits. The Pod's termination grace period countdown begins before the\nPreStop hook is executed. Regardless of the outcome of the handler, the\ncontainer will eventually terminate within the Pod's termination grace\nperiod (unless delayed by finalizers). Other management of the container blocks until the hook completes\nor until the termination grace period is reached.\nMore info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"sleep":{"description":"Sleep represents a duration that the container should sleep.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept\nfor backward compatibility. There is no validation of this field and\nlifecycle hooks will fail at runtime when it is specified.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}}}},"stopSignal":{"description":"StopSignal defines which signal will be sent to a container when it is being stopped.\nIf not specified, the default is defined by the container runtime in use.\nStopSignal can only be set for Pods with a non-empty .spec.os.name","type":"string"}}},"livenessProbe":{"description":"Periodic probe of container liveness.\nContainer will be restarted if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"name":{"description":"Name of the container specified as a DNS_LABEL.\nEach container in a pod must have a unique name (DNS_LABEL).\nCannot be updated.","type":"string"},"ports":{"description":"List of ports to expose from the container. Not specifying a port here\nDOES NOT prevent that port from being exposed. Any port which is\nlistening on the default \"0.0.0.0\" address inside a container will be\naccessible from the network.\nModifying this array with strategic merge patch may corrupt the data.\nFor more information See https://github.com/kubernetes/kubernetes/issues/108255.\nCannot be updated.","type":"array","items":{"description":"ContainerPort represents a network port in a single container.","type":"object","required":["containerPort"],"properties":{"containerPort":{"description":"Number of port to expose on the pod's IP address.\nThis must be a valid port number, 0 < x < 65536.","type":"integer","format":"int32"},"hostIP":{"description":"What host IP to bind the external port to.","type":"string"},"hostPort":{"description":"Number of port to expose on the host.\nIf specified, this must be a valid port number, 0 < x < 65536.\nIf HostNetwork is specified, this must match ContainerPort.\nMost containers do not need this.","type":"integer","format":"int32"},"name":{"description":"If specified, this must be an IANA_SVC_NAME and unique within the pod. Each\nnamed port in a pod must have a unique name. Name for the port that can be\nreferred to by services.","type":"string"},"protocol":{"description":"Protocol for port. Must be UDP, TCP, or SCTP.\nDefaults to \"TCP\".","type":"string"}}},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map"},"readinessProbe":{"description":"Periodic probe of container service readiness.\nContainer will be removed from service endpoints if the probe fails.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"resizePolicy":{"description":"Resources resize policy for the container.","type":"array","items":{"description":"ContainerResizePolicy represents resource resize policy for the container.","type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"description":"Name of the resource to which this resource resize policy applies.\nSupported values: cpu, memory.","type":"string"},"restartPolicy":{"description":"Restart policy to apply when specified resource is resized.\nIf not specified, it defaults to NotRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Compute Resources required by this container.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"restartPolicy":{"description":"RestartPolicy defines the restart behavior of individual containers in a pod.\nThis overrides the pod-level restart policy. When this field is not specified,\nthe restart behavior is defined by the Pod's restart policy and the container type.\nAdditionally, setting the RestartPolicy as \"Always\" for the init container will\nhave the following effect:\nthis init container will be continually restarted on\nexit until all regular containers have terminated. Once all regular\ncontainers have completed, all init containers with restartPolicy \"Always\"\nwill be shut down. This lifecycle differs from normal init containers and\nis often referred to as a \"sidecar\" container. Although this init\ncontainer still starts in the init container sequence, it does not wait\nfor the container to complete before proceeding to the next init\ncontainer. Instead, the next init container starts immediately after this\ninit container is started, or after any startupProbe has successfully\ncompleted.","type":"string"},"restartPolicyRules":{"description":"Represents a list of rules to be checked to determine if the\ncontainer should be restarted on exit. The rules are evaluated in\norder. Once a rule matches a container exit condition, the remaining\nrules are ignored. If no rule matches the container exit condition,\nthe Container-level restart policy determines the whether the container\nis restarted or not. Constraints on the rules:\n- At most 20 rules are allowed.\n- Rules can have the same action.\n- Identical rules are not forbidden in validations.\nWhen rules are specified, container MUST set RestartPolicy explicitly\neven it if matches the Pod's RestartPolicy.","type":"array","items":{"description":"ContainerRestartRule describes how a container exit is handled.","type":"object","required":["action"],"properties":{"action":{"description":"Specifies the action taken on a container exit if the requirements\nare satisfied. The only possible value is \"Restart\" to restart the\ncontainer.","type":"string"},"exitCodes":{"description":"Represents the exit codes to check on container exits.","type":"object","required":["operator"],"properties":{"operator":{"description":"Represents the relationship between the container exit code(s) and the\nspecified values. Possible values are:\n- In: the requirement is satisfied if the container exit code is in the\n  set of specified values.\n- NotIn: the requirement is satisfied if the container exit code is\n  not in the set of specified values.","type":"string"},"values":{"description":"Specifies the set of values to check for container exit codes.\nAt most 255 elements are allowed.","type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}}}},"x-kubernetes-list-type":"atomic"},"securityContext":{"description":"SecurityContext defines the security options the container should be run with.\nIf set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.\nMore info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","type":"object","properties":{"allowPrivilegeEscalation":{"description":"AllowPrivilegeEscalation controls whether a process can gain more\nprivileges than its parent process. This bool directly controls if\nthe no_new_privs flag will be set on the container process.\nAllowPrivilegeEscalation is true always when the container is:\n1) run as Privileged\n2) has CAP_SYS_ADMIN\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by this container. If set, this profile\noverrides the pod's appArmorProfile.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".","type":"string"},"type":{"description":"type indicates which kind of AppArmor profile will be applied.\nValid options are:\n  Localhost - a profile pre-loaded on the node.\n  RuntimeDefault - the container runtime's default profile.\n  Unconfined - no AppArmor enforcement.","type":"string"}}},"capabilities":{"description":"The capabilities to add/drop when running containers.\nDefaults to the default set of capabilities granted by the container runtime.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"add":{"description":"Added capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"description":"Removed capabilities","type":"array","items":{"description":"Capability represent POSIX capabilities type","type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"description":"Run container in privileged mode.\nProcesses in privileged containers are essentially equivalent to root on the host.\nDefaults to false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"procMount":{"description":"procMount denotes the type of proc mount to use for the containers.\nThe default value is Default which uses the container runtime defaults for\nreadonly paths and masked paths.\nThis requires the ProcMountType feature flag to be enabled.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"readOnlyRootFilesystem":{"description":"Whether this container has a read-only root filesystem.\nDefault is false.\nNote that this field cannot be set when spec.os.name is windows.","type":"boolean"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to the container.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in PodSecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by this container. If seccomp options are\nprovided at both the pod & container level, the container options\noverride the pod options.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"windowsOptions":{"description":"The Windows specific settings applied to all containers.\nIf unspecified, the options from the PodSecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.","type":"object","properties":{"gmsaCredentialSpec":{"description":"GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.","type":"string"},"gmsaCredentialSpecName":{"description":"GMSACredentialSpecName is the name of the GMSA credential spec to use.","type":"string"},"hostProcess":{"description":"HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.","type":"boolean"},"runAsUserName":{"description":"The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"string"}}}}},"startupProbe":{"description":"StartupProbe indicates that the Pod has successfully initialized.\nIf specified, no other probes are executed until this completes successfully.\nIf this probe fails, the Pod will be restarted, just as if the livenessProbe failed.\nThis can be used to provide different probe parameters at the beginning of a Pod's lifecycle,\nwhen it might take a long time to load data or warm a cache, than during steady-state operation.\nThis cannot be updated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the\ncommand  is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true},"scheme":{"description":"Scheme to use for connecting to the host.\nDefaults to HTTP.","type":"string"}}},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.","x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"stdin":{"description":"Whether this container should allocate a buffer for stdin in the container runtime. If this\nis not set, reads from stdin in the container will always result in EOF.\nDefault is false.","type":"boolean"},"stdinOnce":{"description":"Whether the container runtime should close the stdin channel after it has been opened by\na single attach. When stdin is true the stdin stream will remain open across multiple attach\nsessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the\nfirst client attaches to stdin, and then remains open and accepts data until the client disconnects,\nat which time stdin is closed and remains closed until the container is restarted. If this\nflag is false, a container processes that reads from stdin will never receive an EOF.\nDefault is false","type":"boolean"},"terminationMessagePath":{"description":"Optional: Path at which the file to which the container's termination message\nwill be written is mounted into the container's filesystem.\nMessage written is intended to be brief final status, such as an assertion failure message.\nWill be truncated by the node if greater than 4096 bytes. The total message length across\nall containers will be limited to 12kb.\nDefaults to /dev/termination-log.\nCannot be updated.","type":"string"},"terminationMessagePolicy":{"description":"Indicate how the termination message should be populated. File will use the contents of\nterminationMessagePath to populate the container status message on both success and failure.\nFallbackToLogsOnError will use the last chunk of container log output if the termination\nmessage file is empty and the container exited with an error.\nThe log output is limited to 2048 bytes or 80 lines, whichever is smaller.\nDefaults to File.\nCannot be updated.","type":"string"},"tty":{"description":"Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.\nDefault is false.","type":"boolean"},"volumeDevices":{"description":"volumeDevices is the list of block devices to be used by the container.","type":"array","items":{"description":"volumeDevice describes a mapping of a raw block device within a container.","type":"object","required":["devicePath","name"],"properties":{"devicePath":{"description":"devicePath is the path inside of the container that the device will be mapped to.","type":"string"},"name":{"description":"name must match the name of a persistentVolumeClaim in the pod","type":"string"}}},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map"},"volumeMounts":{"description":"Pod volumes to mount into the container's filesystem.\nCannot be updated.","type":"array","items":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["mountPath","name"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted.  Must\nnot contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host\nto container and the other way around.\nWhen not set, MountPropagationNone is used.\nThis field is beta in 1.10.\nWhen RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified\n(which defaults to None).","type":"string"},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified).\nDefaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled\nrecursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made\nrecursively read-only.  If this field is set to IfPossible, the mount is made\nrecursively read-only, if it is supported by the container runtime.  If this\nfield is set to Enabled, the mount is made recursively read-only if it is\nsupported by the container runtime, otherwise the pod will not be started and\nan error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to\nNone (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted.\nDefaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted.\nBehaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.\nDefaults to \"\" (volume's root).\nSubPathExpr and SubPath are mutually exclusive.","type":"string"}}},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map"},"workingDir":{"description":"Container's working directory.\nIf not specified, the container runtime's default will be used, which\nmight be configured in the container image.\nCannot be updated.","type":"string"}}}},"keepDroppedTargets":{"description":"keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling\nthat will be kept in memory. 0 means no limit.\n\nIt requires Prometheus >= v2.47.0.\n\nNote that the global limit only applies to scrape objects that don't specify an explicit limit value.\nIf you want to enforce a maximum limit for all scrape objects, refer to enforcedKeepDroppedTargets.","type":"integer","format":"int64"},"labelLimit":{"description":"labelLimit defines per-scrape limit on number of labels that will be accepted for a sample.\nOnly valid in Prometheus versions 2.45.0 and newer.\n\nNote that the global limit only applies to scrape objects that don't specify an explicit limit value.\nIf you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelLimit.","type":"integer","format":"int64"},"labelNameLengthLimit":{"description":"labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample.\nOnly valid in Prometheus versions 2.45.0 and newer.\n\nNote that the global limit only applies to scrape objects that don't specify an explicit limit value.\nIf you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelNameLengthLimit.","type":"integer","format":"int64"},"labelValueLengthLimit":{"description":"labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample.\nOnly valid in Prometheus versions 2.45.0 and newer.\n\nNote that the global limit only applies to scrape objects that don't specify an explicit limit value.\nIf you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelValueLengthLimit.","type":"integer","format":"int64"},"listenLocal":{"description":"listenLocal when true, the Prometheus server listens on the loopback address\ninstead of the Pod IP's address.","type":"boolean"},"logFormat":{"description":"logFormat for Log level for Prometheus and the config-reloader sidecar.","type":"string","enum":["","logfmt","json"]},"logLevel":{"description":"logLevel for Prometheus and the config-reloader sidecar.","type":"string","enum":["","debug","info","warn","error"]},"maximumStartupDurationSeconds":{"description":"maximumStartupDurationSeconds defines the maximum time that the `prometheus` container's startup probe will wait before being considered failed. The startup probe will return success after the WAL replay is complete.\nIf set, the value should be greater than 60 (seconds). Otherwise it will be equal to 900 seconds (15 minutes).","type":"integer","format":"int32","minimum":60},"minReadySeconds":{"description":"minReadySeconds defines the minimum number of seconds for which a newly created Pod should be ready\nwithout any of its container crashing for it to be considered available.\n\nIf unset, pods will be considered available as soon as they are ready.","type":"integer","format":"int32","minimum":0},"mode":{"description":"mode defines how the Prometheus operator deploys the PrometheusAgent pod(s).\n\n(Alpha) Using this field requires the `PrometheusAgentDaemonSet` feature gate to be enabled.","type":"string","enum":["StatefulSet","DaemonSet"]},"nameEscapingScheme":{"description":"nameEscapingScheme defines the character escaping scheme that will be requested when scraping\nfor metric and label names that do not conform to the legacy Prometheus\ncharacter set.\n\nIt requires Prometheus >= v3.4.0.","type":"string","enum":["AllowUTF8","Underscores","Dots","Values"]},"nameValidationScheme":{"description":"nameValidationScheme defines the validation scheme for metric and label names.\n\nIt requires Prometheus >= v2.55.0.","type":"string","enum":["UTF8","Legacy"]},"nodeSelector":{"description":"nodeSelector defines on which Nodes the Pods are scheduled.","type":"object","additionalProperties":{"type":"string"}},"otlp":{"description":"otlp defines the settings related to the OTLP receiver feature.\nIt requires Prometheus >= v2.55.0.","type":"object","properties":{"convertHistogramsToNHCB":{"description":"convertHistogramsToNHCB defines optional translation of OTLP explicit bucket histograms into native histograms with custom buckets.\nIt requires Prometheus >= v3.4.0.","type":"boolean"},"ignoreResourceAttributes":{"description":"ignoreResourceAttributes defines the list of OpenTelemetry resource attributes to ignore when `promoteAllResourceAttributes` is true.\n\nIt requires `promoteAllResourceAttributes` to be true.\nIt requires Prometheus >= v3.5.0.","type":"array","minItems":1,"items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"},"keepIdentifyingResourceAttributes":{"description":"keepIdentifyingResourceAttributes enables adding `service.name`, `service.namespace` and `service.instance.id`\nresource attributes to the `target_info` metric, on top of converting them into the `instance` and `job` labels.\n\nIt requires Prometheus >= v3.1.0.","type":"boolean"},"promoteAllResourceAttributes":{"description":"promoteAllResourceAttributes promotes all resource attributes to metric labels except the ones defined in `ignoreResourceAttributes`.\n\nCannot be true when `promoteResourceAttributes` is defined.\nIt requires Prometheus >= v3.5.0.","type":"boolean"},"promoteResourceAttributes":{"description":"promoteResourceAttributes defines the list of OpenTelemetry Attributes that should be promoted to metric labels, defaults to none.\nCannot be defined when `promoteAllResourceAttributes` is true.","type":"array","minItems":1,"items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"},"promoteScopeMetadata":{"description":"promoteScopeMetadata controls whether to promote OpenTelemetry scope metadata (i.e. name, version, schema URL, and attributes) to metric labels.\nAs per the OpenTelemetry specification, the aforementioned scope metadata should be identifying, i.e. made into metric labels.\nIt requires Prometheus >= v3.6.0.","type":"boolean"},"translationStrategy":{"description":"translationStrategy defines how the OTLP receiver endpoint translates the incoming metrics.\n\nIt requires Prometheus >= v3.0.0.","type":"string","enum":["NoUTF8EscapingWithSuffixes","UnderscoreEscapingWithSuffixes","NoTranslation","UnderscoreEscapingWithoutSuffixes"]}}},"overrideHonorLabels":{"description":"overrideHonorLabels when true, Prometheus resolves label conflicts by renaming the labels in the scraped data\n to “exported_” for all targets created from ServiceMonitor, PodMonitor and\nScrapeConfig objects. Otherwise the HonorLabels field of the service or pod monitor applies.\nIn practice,`OverrideHonorLabels:true` enforces `honorLabels:false`\nfor all ServiceMonitor, PodMonitor and ScrapeConfig objects.","type":"boolean"},"overrideHonorTimestamps":{"description":"overrideHonorTimestamps when true, Prometheus ignores the timestamps for all the targets created\nfrom service and pod monitors.\nOtherwise the HonorTimestamps field of the service or pod monitor applies.","type":"boolean"},"paused":{"description":"paused defines when a Prometheus deployment is paused, no actions except for deletion\nwill be performed on the underlying objects.","type":"boolean"},"persistentVolumeClaimRetentionPolicy":{"description":"persistentVolumeClaimRetentionPolicy defines the field controls if and how PVCs are deleted during the lifecycle of a StatefulSet.\nThe default behavior is all PVCs are retained.\nThis is an alpha field from kubernetes 1.23 until 1.26 and a beta field from 1.26.\nIt requires enabling the StatefulSetAutoDeletePVC feature gate.","type":"object","properties":{"whenDeleted":{"description":"WhenDeleted specifies what happens to PVCs created from StatefulSet\nVolumeClaimTemplates when the StatefulSet is deleted. The default policy\nof `Retain` causes PVCs to not be affected by StatefulSet deletion. The\n`Delete` policy causes those PVCs to be deleted.","type":"string"},"whenScaled":{"description":"WhenScaled specifies what happens to PVCs created from StatefulSet\nVolumeClaimTemplates when the StatefulSet is scaled down. The default\npolicy of `Retain` causes PVCs to not be affected by a scaledown. The\n`Delete` policy causes the associated PVCs for any excess pods above\nthe replica count to be deleted.","type":"string"}}},"podManagementPolicy":{"description":"podManagementPolicy defines the policy for creating/deleting pods when\nscaling up and down.\n\nUnlike the default StatefulSet behavior, the default policy is\n`Parallel` to avoid manual intervention in case a pod gets stuck during\na rollout.\n\nNote that updating this value implies the recreation of the StatefulSet\nwhich incurs a service outage.","type":"string","enum":["OrderedReady","Parallel"]},"podMetadata":{"description":"podMetadata defines labels and annotations which are propagated to the Prometheus pods.\n\nThe following items are reserved and cannot be overridden:\n* \"prometheus\" label, set to the name of the Prometheus object.\n* \"app.kubernetes.io/instance\" label, set to the name of the Prometheus object.\n* \"app.kubernetes.io/managed-by\" label, set to \"prometheus-operator\".\n* \"app.kubernetes.io/name\" label, set to \"prometheus\".\n* \"app.kubernetes.io/version\" label, set to the Prometheus version.\n* \"operator.prometheus.io/name\" label, set to the name of the Prometheus object.\n* \"operator.prometheus.io/shard\" label, set to the shard number of the Prometheus object.\n* \"kubectl.kubernetes.io/default-container\" annotation, set to \"prometheus\".","type":"object","properties":{"annotations":{"description":"annotations defines an unstructured key value map stored with a resource that may be\nset by external tools to store and retrieve arbitrary metadata. They are not\nqueryable and should be preserved when modifying objects.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"labels define the map of string keys and values that can be used to organize and categorize\n(scope and select) objects. May match selectors of replication controllers\nand services.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/","type":"string"}}},"podMonitorNamespaceSelector":{"description":"podMonitorNamespaceSelector defines the namespaces to match for PodMonitors discovery. An empty label selector\nmatches all namespaces. A null label selector (default value) matches the current\nnamespace only.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"podMonitorSelector":{"description":"podMonitorSelector defines the podMonitors to be selected for target discovery. An empty label selector\nmatches all objects. A null label selector matches no objects.\n\nIf `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector`\nand `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged.\nThe Prometheus operator will ensure that the Prometheus configuration's\nSecret exists, but it is the responsibility of the user to provide the raw\ngzipped Prometheus configuration under the `prometheus.yaml.gz` key.\nThis behavior is *deprecated* and will be removed in the next major version\nof the custom resource definition. It is recommended to use\n`spec.additionalScrapeConfigs` instead.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"podTargetLabels":{"description":"podTargetLabels are appended to the `spec.podTargetLabels` field of all\nPodMonitor and ServiceMonitor objects.","type":"array","items":{"type":"string"}},"portName":{"description":"portName used for the pods and governing service.\nDefault: \"web\"","type":"string"},"priorityClassName":{"description":"priorityClassName assigned to the Pods.","type":"string"},"probeNamespaceSelector":{"description":"probeNamespaceSelector defines the namespaces to match for Probe discovery. An empty label\nselector matches all namespaces. A null label selector matches the\ncurrent namespace only.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"probeSelector":{"description":"probeSelector defines the probes to be selected for target discovery. An empty label selector\nmatches all objects. A null label selector matches no objects.\n\nIf `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector`\nand `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged.\nThe Prometheus operator will ensure that the Prometheus configuration's\nSecret exists, but it is the responsibility of the user to provide the raw\ngzipped Prometheus configuration under the `prometheus.yaml.gz` key.\nThis behavior is *deprecated* and will be removed in the next major version\nof the custom resource definition. It is recommended to use\n`spec.additionalScrapeConfigs` instead.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"prometheusExternalLabelName":{"description":"prometheusExternalLabelName defines the name of Prometheus external label used to denote the Prometheus instance\nname. The external label will _not_ be added when the field is set to\nthe empty string (`\"\"`).\n\nDefault: \"prometheus\"","type":"string"},"reloadStrategy":{"description":"reloadStrategy defines the strategy used to reload the Prometheus configuration.\nIf not specified, the configuration is reloaded using the /-/reload HTTP endpoint.","type":"string","enum":["HTTP","ProcessSignal"]},"remoteWrite":{"description":"remoteWrite defines the list of remote write configurations.","type":"array","items":{"description":"RemoteWriteSpec defines the configuration to write samples from Prometheus\nto a remote endpoint.","type":"object","required":["url"],"properties":{"authorization":{"description":"authorization section for the URL.\n\nIt requires Prometheus >= v2.26.0 or Thanos >= v0.24.0.\n\nCannot be set at the same time as `sigv4`, `basicAuth`, `oauth2`, or `azureAd`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"credentialsFile":{"description":"credentialsFile defines the file to read a secret from, mutually exclusive with `credentials`.","type":"string"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"azureAd":{"description":"azureAd for the URL.\n\nIt requires Prometheus >= v2.45.0 or Thanos >= v0.31.0.\n\nCannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `sigv4`.","type":"object","properties":{"cloud":{"description":"cloud defines the Azure Cloud. Options are 'AzurePublic', 'AzureChina', or 'AzureGovernment'.","type":"string","enum":["AzureChina","AzureGovernment","AzurePublic"]},"managedIdentity":{"description":"managedIdentity defines the Azure User-assigned Managed identity.\nCannot be set at the same time as `oauth`, `sdk` or `workloadIdentity`.","type":"object","properties":{"clientId":{"description":"clientId defines the Azure User-assigned Managed identity.\n\nFor Prometheus >= 3.5.0 and Thanos >= 0.40.0, this field is allowed to be empty to support system-assigned managed identities.","type":"string","minLength":1}}},"oauth":{"description":"oauth defines the oauth config that is being used to authenticate.\nCannot be set at the same time as `managedIdentity`, `sdk` or `workloadIdentity`.\n\nIt requires Prometheus >= v2.48.0 or Thanos >= v0.31.0.","type":"object","required":["clientId","clientSecret","tenantId"],"properties":{"clientId":{"description":"clientId defines the clientId of the Azure Active Directory application that is being used to authenticate.","type":"string","minLength":1},"clientSecret":{"description":"clientSecret specifies a key of a Secret containing the client secret of the Azure Active Directory application that is being used to authenticate.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"tenantId":{"description":"tenantId is the tenant ID of the Azure Active Directory application that is being used to authenticate.","type":"string","minLength":1,"pattern":"^[0-9a-zA-Z-.]+$"}}},"scope":{"description":"scope is the custom OAuth 2.0 scope to request when acquiring tokens.\nIt requires Prometheus >= 3.9.0. Currently not supported by Thanos.","type":"string","pattern":"^[\\w\\s:/.\\\\-]+$"},"sdk":{"description":"sdk defines the Azure SDK config that is being used to authenticate.\nSee https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication\nCannot be set at the same time as `oauth`, `managedIdentity` or `workloadIdentity`.\n\nIt requires Prometheus >= v2.52.0 or Thanos >= v0.36.0.","type":"object","properties":{"tenantId":{"description":"tenantId defines the tenant ID of the azure active directory application that is being used to authenticate.","type":"string","pattern":"^[0-9a-zA-Z-.]+$"}}},"workloadIdentity":{"description":"workloadIdentity defines the Azure Workload Identity authentication.\nCannot be set at the same time as `oauth`, `managedIdentity`, or `sdk`.\n\nIt requires Prometheus >= 3.7.0. Currently not supported by Thanos.","type":"object","required":["clientId","tenantId"],"properties":{"clientId":{"description":"clientId is the clientID of the Azure Active Directory application.","type":"string","minLength":1},"tenantId":{"description":"tenantId is the tenant ID of the Azure Active Directory application.","type":"string","minLength":1}}}}},"basicAuth":{"description":"basicAuth configuration for the URL.\n\nCannot be set at the same time as `sigv4`, `authorization`, `oauth2`, or `azureAd`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"bearerToken":{"description":"bearerToken is deprecated: this will be removed in a future release.\n*Warning: this field shouldn't be used because the token value appears\nin clear-text. Prefer using `authorization`.*","type":"string"},"bearerTokenFile":{"description":"bearerTokenFile defines the file from which to read bearer token for the URL.\n\nDeprecated: this will be removed in a future release. Prefer using `authorization`.","type":"string"},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.\n\nIt requires Prometheus >= v2.26.0 or Thanos >= v0.24.0.","type":"boolean"},"headers":{"description":"headers defines the custom HTTP headers to be sent along with each remote write request.\nBe aware that headers that are set by Prometheus itself can't be overwritten.\n\nIt requires Prometheus >= v2.25.0 or Thanos >= v0.24.0.","type":"object","additionalProperties":{"type":"string"}},"messageVersion":{"description":"messageVersion defines the Remote Write message's version to use when writing to the endpoint.\n\n`Version1.0` corresponds to the `prometheus.WriteRequest` protobuf message introduced in Remote Write 1.0.\n`Version2.0` corresponds to the `io.prometheus.write.v2.Request` protobuf message introduced in Remote Write 2.0.\n\nWhen `Version2.0` is selected, Prometheus will automatically be\nconfigured to append the metadata of scraped metrics to the WAL.\n\nBefore setting this field, consult with your remote storage provider\nwhat message version it supports.\n\nIt requires Prometheus >= v2.54.0 or Thanos >= v0.37.0.","type":"string","enum":["V1.0","V2.0"]},"metadataConfig":{"description":"metadataConfig defines how to send a series metadata to the remote storage.\n\nWhen the field is empty, **no metadata** is sent. But when the field is\nnull, metadata is sent.","type":"object","properties":{"maxSamplesPerSend":{"description":"maxSamplesPerSend defines the maximum number of metadata samples per send.\n\nIt requires Prometheus >= v2.29.0.","type":"integer","format":"int32","minimum":-1},"send":{"description":"send defines whether metric metadata is sent to the remote storage or not.","type":"boolean"},"sendInterval":{"description":"sendInterval defines how frequently metric metadata is sent to the remote storage.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"}}},"name":{"description":"name of the remote write queue, it must be unique if specified. The\nname is used in metrics and logging in order to differentiate queues.\n\nIt requires Prometheus >= v2.15.0 or Thanos >= 0.24.0.","type":"string"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 configuration for the URL.\n\nIt requires Prometheus >= v2.27.0 or Thanos >= v0.24.0.\n\nCannot be set at the same time as `sigv4`, `authorization`, `basicAuth`, or `azureAd`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"queueConfig":{"description":"queueConfig allows tuning of the remote write queue parameters.","type":"object","properties":{"batchSendDeadline":{"description":"batchSendDeadline defines the maximum time a sample will wait in buffer.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"capacity":{"description":"capacity defines the number of samples to buffer per shard before we start\ndropping them.","type":"integer"},"maxBackoff":{"description":"maxBackoff defines the maximum retry delay.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"maxRetries":{"description":"maxRetries defines the maximum number of times to retry a batch on recoverable errors.","type":"integer"},"maxSamplesPerSend":{"description":"maxSamplesPerSend defines the maximum number of samples per send.","type":"integer"},"maxShards":{"description":"maxShards defines the maximum number of shards, i.e. amount of concurrency.","type":"integer"},"minBackoff":{"description":"minBackoff defines the initial retry delay. Gets doubled for every retry.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"minShards":{"description":"minShards defines the minimum number of shards, i.e. amount of concurrency.","type":"integer"},"retryOnRateLimit":{"description":"retryOnRateLimit defines the retry upon receiving a 429 status code from the remote-write storage.\n\nThis is an *experimental feature*, it may change in any upcoming release\nin a breaking way.","type":"boolean"},"sampleAgeLimit":{"description":"sampleAgeLimit drops samples older than the limit.\nIt requires Prometheus >= v2.50.0 or Thanos >= v0.32.0.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"}}},"remoteTimeout":{"description":"remoteTimeout defines the timeout for requests to the remote write endpoint.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"roundRobinDNS":{"description":"roundRobinDNS controls the DNS resolution behavior for remote-write connections.\nWhen enabled:\n  - The remote-write mechanism will resolve the hostname via DNS.\n  - It will randomly select one of the resolved IP addresses and connect to it.\n\nWhen disabled (default behavior):\n  - The Go standard library will handle hostname resolution.\n  - It will attempt connections to each resolved IP address sequentially.\n\nNote: The connection timeout applies to the entire resolution and connection process.\n\n\tIf disabled, the timeout is distributed across all connection attempts.\n\nIt requires Prometheus >= v3.1.0 or Thanos >= v0.38.0.","type":"boolean"},"sendExemplars":{"description":"sendExemplars enables sending of exemplars over remote write. Note that\nexemplar-storage itself must be enabled using the `spec.enableFeatures`\noption for exemplars to be scraped in the first place.\n\nIt requires Prometheus >= v2.27.0 or Thanos >= v0.24.0.","type":"boolean"},"sendNativeHistograms":{"description":"sendNativeHistograms enables sending of native histograms, also known as sparse histograms\nover remote write.\n\nIt requires Prometheus >= v2.40.0 or Thanos >= v0.30.0.","type":"boolean"},"sigv4":{"description":"sigv4 defines the AWS's Signature Verification 4 for the URL.\n\nIt requires Prometheus >= v2.26.0 or Thanos >= v0.24.0.\n\nCannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `azureAd`.","type":"object","properties":{"accessKey":{"description":"accessKey defines the AWS API key. If not specified, the environment variable\n`AWS_ACCESS_KEY_ID` is used.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"profile":{"description":"profile defines the named AWS profile used to authenticate.","type":"string"},"region":{"description":"region defines the AWS region. If blank, the region from the default credentials chain used.","type":"string"},"roleArn":{"description":"roleArn defines the named AWS profile used to authenticate.","type":"string"},"secretKey":{"description":"secretKey defines the AWS API secret. If not specified, the environment\nvariable `AWS_SECRET_ACCESS_KEY` is used.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"useFIPSSTSEndpoint":{"description":"useFIPSSTSEndpoint defines the FIPS mode for the AWS STS endpoint.\nIt requires Prometheus >= v2.54.0.","type":"boolean"}}},"tlsConfig":{"description":"tlsConfig to use for the URL.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"caFile":{"description":"caFile defines the path to the CA cert in the Prometheus container to use for the targets.","type":"string"},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the client cert file in the Prometheus container for the targets.","type":"string"},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keyFile":{"description":"keyFile defines the path to the client key file in the Prometheus container for the targets.","type":"string"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"url":{"description":"url defines the URL of the endpoint to send samples to.","type":"string","minLength":1},"writeRelabelConfigs":{"description":"writeRelabelConfigs defines the list of remote write relabel configurations.","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}}}}},"remoteWriteReceiverMessageVersions":{"description":"remoteWriteReceiverMessageVersions list of the protobuf message versions to accept when receiving the\nremote writes.\n\nIt requires Prometheus >= v2.54.0.","type":"array","minItems":1,"items":{"type":"string","enum":["V1.0","V2.0"]},"x-kubernetes-list-type":"set"},"replicaExternalLabelName":{"description":"replicaExternalLabelName defines the name of Prometheus external label used to denote the replica name.\nThe external label will _not_ be added when the field is set to the\nempty string (`\"\"`).\n\nDefault: \"prometheus_replica\"","type":"string"},"replicas":{"description":"replicas defines the number of replicas of each shard to deploy for a Prometheus deployment.\n`spec.replicas` multiplied by `spec.shards` is the total number of Pods\ncreated.\n\nDefault: 1","type":"integer","format":"int32"},"resources":{"description":"resources defines the resources requests and limits of the 'prometheus' container.","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"routePrefix":{"description":"routePrefix defines the route prefix Prometheus registers HTTP handlers for.\n\nThis is useful when using `spec.externalURL`, and a proxy is rewriting\nHTTP routes of a request, and the actual ExternalURL is still true, but\nthe server serves requests under a different route prefix. For example\nfor use with `kubectl proxy`.","type":"string"},"runtime":{"description":"runtime defines the values for the Prometheus process behavior","type":"object","properties":{"goGC":{"description":"goGC defines the Go garbage collection target percentage. Lowering this number may increase the CPU usage.\nSee: https://tip.golang.org/doc/gc-guide#GOGC","type":"integer","format":"int32","minimum":-1}}},"sampleLimit":{"description":"sampleLimit defines per-scrape limit on number of scraped samples that will be accepted.\nOnly valid in Prometheus versions 2.45.0 and newer.\n\nNote that the global limit only applies to scrape objects that don't specify an explicit limit value.\nIf you want to enforce a maximum limit for all scrape objects, refer to enforcedSampleLimit.","type":"integer","format":"int64"},"scrapeClasses":{"description":"scrapeClasses defines the list of scrape classes to expose to scraping objects such as\nPodMonitors, ServiceMonitors, Probes and ScrapeConfigs.\n\nThis is an *experimental feature*, it may change in any upcoming release\nin a breaking way.","type":"array","items":{"type":"object","required":["name"],"properties":{"attachMetadata":{"description":"attachMetadata defines additional metadata to the discovered targets.\nWhen the scrape object defines its own configuration, it takes\nprecedence over the scrape class configuration.","type":"object","properties":{"node":{"description":"node when set to true, Prometheus attaches node metadata to the discovered\ntargets.\n\nThe Prometheus service account must have the `list` and `watch`\npermissions on the `Nodes` objects.","type":"boolean"}}},"authorization":{"description":"authorization section for the ScrapeClass.\nIt will only apply if the scrape resource doesn't specify any Authorization.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"credentialsFile":{"description":"credentialsFile defines the file to read a secret from, mutually exclusive with `credentials`.","type":"string"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"default":{"description":"default defines that the scrape applies to all scrape objects that\ndon't configure an explicit scrape class name.\n\nOnly one scrape class can be set as the default.","type":"boolean"},"fallbackScrapeProtocol":{"description":"fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type.\nIt will only apply if the scrape resource doesn't specify any FallbackScrapeProtocol\n\nIt requires Prometheus >= v3.0.0.","type":"string","enum":["PrometheusProto","OpenMetricsText0.0.1","OpenMetricsText1.0.0","PrometheusText0.0.4","PrometheusText1.0.0"]},"metricRelabelings":{"description":"metricRelabelings defines the relabeling rules to apply to all samples before ingestion.\n\nThe Operator adds the scrape class metric relabelings defined here.\nThen the Operator adds the target-specific metric relabelings defined in ServiceMonitors, PodMonitors, Probes and ScrapeConfigs.\nThen the Operator adds namespace enforcement relabeling rule, specified in '.spec.enforcedNamespaceLabel'.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"name":{"description":"name of the scrape class.","type":"string","minLength":1},"relabelings":{"description":"relabelings defines the relabeling rules to apply to all scrape targets.\n\nThe Operator automatically adds relabelings for a few standard Kubernetes fields\nlike `__meta_kubernetes_namespace` and `__meta_kubernetes_service_name`.\nThen the Operator adds the scrape class relabelings defined here.\nThen the Operator adds the target-specific relabelings defined in the scrape object.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"tlsConfig":{"description":"tlsConfig defines the TLS settings to use for the scrape. When the\nscrape objects define their own CA, certificate and/or key, they take\nprecedence over the corresponding scrape class fields.\n\nFor now only the `caFile`, `certFile` and `keyFile` fields are supported.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"caFile":{"description":"caFile defines the path to the CA cert in the Prometheus container to use for the targets.","type":"string"},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the client cert file in the Prometheus container for the targets.","type":"string"},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keyFile":{"description":"keyFile defines the path to the client key file in the Prometheus container for the targets.","type":"string"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"scrapeClassicHistograms":{"description":"scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram.\n\nNotice: `scrapeClassicHistograms` corresponds to the `always_scrape_classic_histograms` field in the Prometheus configuration.\n\nIt requires Prometheus >= v3.5.0.","type":"boolean"},"scrapeConfigNamespaceSelector":{"description":"scrapeConfigNamespaceSelector defines the namespaces to match for ScrapeConfig discovery. An empty label selector\nmatches all namespaces. A null label selector matches the current\nnamespace only.\n\nNote that the ScrapeConfig custom resource definition is currently at Alpha level.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"scrapeConfigSelector":{"description":"scrapeConfigSelector defines the scrapeConfigs to be selected for target discovery. An empty label\nselector matches all objects. A null label selector matches no objects.\n\nIf `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector`\nand `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged.\nThe Prometheus operator will ensure that the Prometheus configuration's\nSecret exists, but it is the responsibility of the user to provide the raw\ngzipped Prometheus configuration under the `prometheus.yaml.gz` key.\nThis behavior is *deprecated* and will be removed in the next major version\nof the custom resource definition. It is recommended to use\n`spec.additionalScrapeConfigs` instead.\n\nNote that the ScrapeConfig custom resource definition is currently at Alpha level.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"scrapeFailureLogFile":{"description":"scrapeFailureLogFile defines the file to which scrape failures are logged.\nReloading the configuration will reopen the file.\n\nIf the filename has an empty path, e.g. 'file.log', The Prometheus Pods\nwill mount the file into an emptyDir volume at `/var/log/prometheus`.\nIf a full path is provided, e.g. '/var/log/prometheus/file.log', you\nmust mount a volume in the specified directory and it must be writable.\nIt requires Prometheus >= v2.55.0.","type":"string","minLength":1},"scrapeInterval":{"description":"scrapeInterval defines interval between consecutive scrapes.\n\nDefault: \"30s\"","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"scrapeNativeHistograms":{"description":"scrapeNativeHistograms defines whether to enable scraping of native histograms.\nIt requires Prometheus >= v3.8.0.","type":"boolean"},"scrapeProtocols":{"description":"scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the\nprotocols supported by Prometheus in order of preference (from most to least preferred).\n\nIf unset, Prometheus uses its default value.\n\nIt requires Prometheus >= v2.49.0.\n\n`PrometheusText1.0.0` requires Prometheus >= v3.0.0.","type":"array","items":{"description":"ScrapeProtocol represents a protocol used by Prometheus for scraping metrics.\nSupported values are:\n* `OpenMetricsText0.0.1`\n* `OpenMetricsText1.0.0`\n* `PrometheusProto`\n* `PrometheusText0.0.4`\n* `PrometheusText1.0.0`","type":"string","enum":["PrometheusProto","OpenMetricsText0.0.1","OpenMetricsText1.0.0","PrometheusText0.0.4","PrometheusText1.0.0"]},"x-kubernetes-list-type":"set"},"scrapeTimeout":{"description":"scrapeTimeout defines the number of seconds to wait until a scrape request times out.\nThe value cannot be greater than the scrape interval otherwise the operator will reject the resource.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"secrets":{"description":"secrets defines a list of Secrets in the same namespace as the Prometheus\nobject, which shall be mounted into the Prometheus Pods.\nEach Secret is added to the StatefulSet definition as a volume named `secret-<secret-name>`.\nThe Secrets are mounted into /etc/prometheus/secrets/<secret-name> in the 'prometheus' container.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"securityContext":{"description":"securityContext holds pod-level security attributes and common container settings.\nThis defaults to the default PodSecurityContext.","type":"object","properties":{"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".","type":"string"},"type":{"description":"type indicates which kind of AppArmor profile will be applied.\nValid options are:\n  Localhost - a profile pre-loaded on the node.\n  RuntimeDefault - the container runtime's default profile.\n  Unconfined - no AppArmor enforcement.","type":"string"}}},"fsGroup":{"description":"A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"fsGroupChangePolicy":{"description":"fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxChangePolicy":{"description":"seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.\nIt has no effect on nodes that do not support SELinux or to volumes does not support SELinux.\nValid values are \"MountOption\" and \"Recursive\".\n\n\"Recursive\" means relabeling of all files on all Pod volumes by the container runtime.\nThis may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.\n\n\"MountOption\" mounts all eligible Pod volumes with `-o context` mount option.\nThis requires all Pods that share the same volume to use the same SELinux label.\nIt is not possible to share the same volume among privileged and unprivileged Pods.\nEligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes\nwhose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their\nCSIDriver instance. Other volumes are always re-labelled recursively.\n\"MountOption\" value is allowed only when SELinuxMount feature gate is enabled.\n\nIf not specified and SELinuxMount feature gate is enabled, \"MountOption\" is used.\nIf not specified and SELinuxMount feature gate is disabled, \"MountOption\" is used for ReadWriteOncePod volumes\nand \"Recursive\" for all other volumes.\n\nThis field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.\n\nAll Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"seLinuxOptions":{"description":"The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in SecurityContext.  If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"supplementalGroups":{"description":"A list of groups applied to the first process run in each container, in\naddition to the container's primary GID and fsGroup (if specified).  If\nthe SupplementalGroupsPolicy feature is enabled, the\nsupplementalGroupsPolicy field determines whether these are in addition\nto or instead of any group memberships defined in the container image.\nIf unspecified, no additional groups are added, though group memberships\ndefined in the container image may still be used, depending on the\nsupplementalGroupsPolicy field.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"type":"integer","format":"int64"},"x-kubernetes-list-type":"atomic"},"supplementalGroupsPolicy":{"description":"Defines how supplemental groups of the first container processes are calculated.\nValid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used.\n(Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled\nand the container runtime must implement support for this feature.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"sysctls":{"description":"Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"description":"Sysctl defines a kernel parameter to be set","type":"object","required":["name","value"],"properties":{"name":{"description":"Name of a property to set","type":"string"},"value":{"description":"Value of a property to set","type":"string"}}},"x-kubernetes-list-type":"atomic"},"windowsOptions":{"description":"The Windows specific settings applied to all containers.\nIf unspecified, the options within a container's SecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.","type":"object","properties":{"gmsaCredentialSpec":{"description":"GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.","type":"string"},"gmsaCredentialSpecName":{"description":"GMSACredentialSpecName is the name of the GMSA credential spec to use.","type":"string"},"hostProcess":{"description":"HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.","type":"boolean"},"runAsUserName":{"description":"The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"string"}}}}},"serviceAccountName":{"description":"serviceAccountName is the name of the ServiceAccount to use to run the\nPrometheus Pods.","type":"string"},"serviceDiscoveryRole":{"description":"serviceDiscoveryRole defines the service discovery role used to discover targets from\n`ServiceMonitor` objects and Alertmanager endpoints.\n\nIf set, the value should be either \"Endpoints\" or \"EndpointSlice\".\nIf unset, the operator assumes the \"Endpoints\" role.","type":"string","enum":["Endpoints","EndpointSlice"]},"serviceMonitorNamespaceSelector":{"description":"serviceMonitorNamespaceSelector defines the namespaces to match for ServicedMonitors discovery. An empty label selector\nmatches all namespaces. A null label selector (default value) matches the current\nnamespace only.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"serviceMonitorSelector":{"description":"serviceMonitorSelector defines the serviceMonitors to be selected for target discovery. An empty label\nselector matches all objects. A null label selector matches no objects.\n\nIf `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector`\nand `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged.\nThe Prometheus operator will ensure that the Prometheus configuration's\nSecret exists, but it is the responsibility of the user to provide the raw\ngzipped Prometheus configuration under the `prometheus.yaml.gz` key.\nThis behavior is *deprecated* and will be removed in the next major version\nof the custom resource definition. It is recommended to use\n`spec.additionalScrapeConfigs` instead.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"serviceName":{"description":"serviceName defines the name of the service name used by the underlying StatefulSet(s) as the governing service.\nIf defined, the Service  must be created before the Prometheus/PrometheusAgent resource in the same namespace and it must define a selector that matches the pod labels.\nIf empty, the operator will create and manage a headless service named `prometheus-operated` for Prometheus resources,\nor `prometheus-agent-operated` for PrometheusAgent resources.\nWhen deploying multiple Prometheus/PrometheusAgent resources in the same namespace, it is recommended to specify a different value for each.\nSee https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-network-id for more details.","type":"string","minLength":1},"shards":{"description":"shards defines the number of shards to distribute the scraped targets onto.\n\n`spec.replicas` multiplied by `spec.shards` is the total number of Pods\nbeing created.\n\nWhen not defined, the operator assumes only one shard.\n\nNote that scaling down shards will not reshard data onto the remaining\ninstances, it must be manually moved. Increasing shards will not reshard\ndata either but it will continue to be available from the same\ninstances. To query globally, use either\n* Thanos sidecar + querier for query federation and Thanos Ruler for rules.\n* Remote-write to send metrics to a central location.\n\nBy default, the sharding of targets is performed on:\n* The `__address__` target's metadata label for PodMonitor,\nServiceMonitor and ScrapeConfig resources.\n* The `__param_target__` label for Probe resources.\n\nUsers can define their own sharding implementation by setting the\n`__tmp_hash` label during the target discovery with relabeling\nconfiguration (either in the monitoring resources or via scrape class).\n\nYou can also disable sharding on a specific target by setting the\n`__tmp_disable_sharding` label with relabeling configuration. When\nthe label value isn't empty, all Prometheus shards will scrape the target.","type":"integer","format":"int32"},"storage":{"description":"storage defines the storage used by Prometheus.","type":"object","properties":{"disableMountSubPath":{"description":"disableMountSubPath deprecated: subPath usage will be removed in a future release.","type":"boolean"},"emptyDir":{"description":"emptyDir to be used by the StatefulSet.\nIf specified, it takes precedence over `ephemeral` and `volumeClaimTemplate`.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir","type":"object","properties":{"medium":{"description":"medium represents what type of storage medium should back this directory.\nThe default is \"\" which means to use the node's default medium.\nMust be an empty string (default) or Memory.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","type":"string"},"sizeLimit":{"description":"sizeLimit is the total amount of local storage required for this EmptyDir volume.\nThe size limit is also applicable for memory medium.\nThe maximum usage on memory medium EmptyDir would be the minimum value between\nthe SizeLimit specified here and the sum of memory limits of all containers in a pod.\nThe default is nil which means that the limit is undefined.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"ephemeral":{"description":"ephemeral to be used by the StatefulSet.\nThis is a beta field in k8s 1.21 and GA in 1.15.\nFor lower versions, starting with k8s 1.19, it requires enabling the GenericEphemeralVolume feature gate.\nMore info: https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes","type":"object","properties":{"volumeClaimTemplate":{"description":"Will be used to create a stand-alone PVC to provision the volume.\nThe pod in which this EphemeralVolumeSource is embedded will be the\nowner of the PVC, i.e. the PVC will be deleted together with the\npod.  The name of the PVC will be `<pod name>-<volume name>` where\n`<volume name>` is the name from the `PodSpec.Volumes` array\nentry. Pod validation will reject the pod if the concatenated name\nis not valid for a PVC (for example, too long).\n\nAn existing PVC with that name that is not owned by the pod\nwill *not* be used for the pod to avoid using an unrelated\nvolume by mistake. Starting the pod is then blocked until\nthe unrelated PVC is removed. If such a pre-created PVC is\nmeant to be used by the pod, the PVC has to updated with an\nowner reference to the pod once the pod exists. Normally\nthis should not be necessary, but it may be useful when\nmanually reconstructing a broken cluster.\n\nThis field is read-only and no changes will be made by Kubernetes\nto the PVC after it has been created.\n\nRequired, must not be nil.","type":"object","required":["spec"],"properties":{"metadata":{"description":"May contain labels and annotations that will be copied into the PVC\nwhen creating it. No other fields are allowed and will be rejected during\nvalidation.","type":"object"},"spec":{"description":"The specification for the PersistentVolumeClaim. The entire content is\ncopied unchanged into the PVC that gets created from this\ntemplate. The same fields as in a PersistentVolumeClaim\nare also valid here.","type":"object","properties":{"accessModes":{"description":"accessModes contains the desired access modes the volume should have.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"description":"dataSource field can be used to specify either:\n* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)\n* An existing PVC (PersistentVolumeClaim)\nIf the provisioner or an external controller can support the specified data source,\nit will create a new volume based on the contents of the specified data source.\nWhen the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,\nand dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.\nIf the namespace is specified, then dataSourceRef will not be copied to dataSource.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"description":"dataSourceRef specifies the object from which to populate the volume with data, if a non-empty\nvolume is desired. This may be any object from a non-empty API group (non\ncore object) or a PersistentVolumeClaim object.\nWhen this field is specified, volume binding will only succeed if the type of\nthe specified object matches some installed volume populator or dynamic\nprovisioner.\nThis field will replace the functionality of the dataSource field and as such\nif both fields are non-empty, they must have the same value. For backwards\ncompatibility, when namespace isn't specified in dataSourceRef,\nboth fields (dataSource and dataSourceRef) will be set to the same\nvalue automatically if one of them is empty and the other is non-empty.\nWhen namespace is specified in dataSourceRef,\ndataSource isn't set to the same value and must be empty.\nThere are three important differences between dataSource and dataSourceRef:\n* While dataSource only allows two specific types of objects, dataSourceRef\n  allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n  preserves all values, and generates an error if a disallowed value is\n  specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n  in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.\n(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"},"namespace":{"description":"Namespace is the namespace of resource being referenced\nNote that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.\n(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"string"}}},"resources":{"description":"resources represents the minimum resources the volume should have.\nIf RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements\nthat are lower than previous value but must still be higher than capacity recorded in the\nstatus field of the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources","type":"object","properties":{"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"description":"selector is a label query over volumes to consider for binding.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"description":"storageClassName is the name of the StorageClass required by the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1","type":"string"},"volumeAttributesClassName":{"description":"volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string or nil value indicates that no\nVolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,\nthis field can be reset to its previous value (including nil) to cancel the modification.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/","type":"string"},"volumeMode":{"description":"volumeMode defines what type of volume is required by the claim.\nValue of Filesystem is implied when not included in claim spec.","type":"string"},"volumeName":{"description":"volumeName is the binding reference to the PersistentVolume backing this claim.","type":"string"}}}}}}},"volumeClaimTemplate":{"description":"volumeClaimTemplate defines the PVC spec to be used by the Prometheus StatefulSets.\nThe easiest way to use a volume that cannot be automatically provisioned\nis to use a label selector alongside manually created PersistentVolumes.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"metadata defines EmbeddedMetadata contains metadata relevant to an EmbeddedResource.","type":"object","properties":{"annotations":{"description":"annotations defines an unstructured key value map stored with a resource that may be\nset by external tools to store and retrieve arbitrary metadata. They are not\nqueryable and should be preserved when modifying objects.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"labels define the map of string keys and values that can be used to organize and categorize\n(scope and select) objects. May match selectors of replication controllers\nand services.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/","type":"string"}}},"spec":{"description":"spec defines the specification of the  characteristics of a volume requested by a pod author.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"object","properties":{"accessModes":{"description":"accessModes contains the desired access modes the volume should have.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"description":"dataSource field can be used to specify either:\n* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)\n* An existing PVC (PersistentVolumeClaim)\nIf the provisioner or an external controller can support the specified data source,\nit will create a new volume based on the contents of the specified data source.\nWhen the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,\nand dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.\nIf the namespace is specified, then dataSourceRef will not be copied to dataSource.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"description":"dataSourceRef specifies the object from which to populate the volume with data, if a non-empty\nvolume is desired. This may be any object from a non-empty API group (non\ncore object) or a PersistentVolumeClaim object.\nWhen this field is specified, volume binding will only succeed if the type of\nthe specified object matches some installed volume populator or dynamic\nprovisioner.\nThis field will replace the functionality of the dataSource field and as such\nif both fields are non-empty, they must have the same value. For backwards\ncompatibility, when namespace isn't specified in dataSourceRef,\nboth fields (dataSource and dataSourceRef) will be set to the same\nvalue automatically if one of them is empty and the other is non-empty.\nWhen namespace is specified in dataSourceRef,\ndataSource isn't set to the same value and must be empty.\nThere are three important differences between dataSource and dataSourceRef:\n* While dataSource only allows two specific types of objects, dataSourceRef\n  allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n  preserves all values, and generates an error if a disallowed value is\n  specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n  in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.\n(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"},"namespace":{"description":"Namespace is the namespace of resource being referenced\nNote that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.\n(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"string"}}},"resources":{"description":"resources represents the minimum resources the volume should have.\nIf RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements\nthat are lower than previous value but must still be higher than capacity recorded in the\nstatus field of the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources","type":"object","properties":{"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"description":"selector is a label query over volumes to consider for binding.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"description":"storageClassName is the name of the StorageClass required by the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1","type":"string"},"volumeAttributesClassName":{"description":"volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string or nil value indicates that no\nVolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,\nthis field can be reset to its previous value (including nil) to cancel the modification.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/","type":"string"},"volumeMode":{"description":"volumeMode defines what type of volume is required by the claim.\nValue of Filesystem is implied when not included in claim spec.","type":"string"},"volumeName":{"description":"volumeName is the binding reference to the PersistentVolume backing this claim.","type":"string"}}},"status":{"description":"status is deprecated: this field is never set.","type":"object","properties":{"accessModes":{"description":"accessModes contains the actual access modes the volume backing the PVC has.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"allocatedResourceStatuses":{"description":"allocatedResourceStatuses stores status of resource being resized for the given PVC.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.","type":"object","additionalProperties":{"description":"When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource\nthat it does not recognizes, then it should ignore that update and let other controllers\nhandle it.","type":"string"},"x-kubernetes-map-type":"granular"},"allocatedResources":{"description":"allocatedResources tracks the resources allocated to a PVC including its capacity.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation\nis requested.\nFor storage quota, the larger value from allocatedResources and PVC.spec.resources is used.\nIf allocatedResources is not set, PVC.spec.resources alone is used for quota calculation.\nIf a volume expansion capacity request is lowered, allocatedResources is only\nlowered if there are no expansion operations in progress and if the actual volume capacity\nis equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"capacity":{"description":"capacity represents the actual resources of the underlying volume.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"conditions":{"description":"conditions is the current Condition of persistent volume claim. If underlying persistent volume is being\nresized then the Condition will be set to 'Resizing'.","type":"array","items":{"description":"PersistentVolumeClaimCondition contains details about state of pvc","type":"object","required":["status","type"],"properties":{"lastProbeTime":{"description":"lastProbeTime is the time we probed the condition.","type":"string","format":"date-time"},"lastTransitionTime":{"description":"lastTransitionTime is the time the condition transitioned from one status to another.","type":"string","format":"date-time"},"message":{"description":"message is the human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"reason is a unique, this should be a short, machine understandable string that gives the reason\nfor condition's last transition. If it reports \"Resizing\" that means the underlying\npersistent volume is being resized.","type":"string"},"status":{"description":"Status is the status of the condition.\nCan be True, False, Unknown.\nMore info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=state%20of%20pvc-,conditions.status,-(string)%2C%20required","type":"string"},"type":{"description":"Type is the type of the condition.\nMore info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=set%20to%20%27ResizeStarted%27.-,PersistentVolumeClaimCondition,-contains%20details%20about","type":"string"}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"currentVolumeAttributesClassName":{"description":"currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.\nWhen unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim","type":"string"},"modifyVolumeStatus":{"description":"ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.\nWhen this is unset, there is no ModifyVolume operation being attempted.","type":"object","required":["status"],"properties":{"status":{"description":"status is the status of the ControllerModifyVolume operation. It can be in any of following states:\n - Pending\n   Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as\n   the specified VolumeAttributesClass not existing.\n - InProgress\n   InProgress indicates that the volume is being modified.\n - Infeasible\n  Infeasible indicates that the request has been rejected as invalid by the CSI driver. To\n\t  resolve the error, a valid VolumeAttributesClass needs to be specified.\nNote: New statuses can be added in the future. Consumers should check for unknown statuses and fail appropriately.","type":"string"},"targetVolumeAttributesClassName":{"description":"targetVolumeAttributesClassName is the name of the VolumeAttributesClass the PVC currently being reconciled","type":"string"}}},"phase":{"description":"phase represents the current phase of PersistentVolumeClaim.","type":"string"}}}}}}},"targetLimit":{"description":"targetLimit defines a limit on the number of scraped targets that will be accepted.\nOnly valid in Prometheus versions 2.45.0 and newer.\n\nNote that the global limit only applies to scrape objects that don't specify an explicit limit value.\nIf you want to enforce a maximum limit for all scrape objects, refer to enforcedTargetLimit.","type":"integer","format":"int64"},"terminationGracePeriodSeconds":{"description":"terminationGracePeriodSeconds defines the optional duration in seconds the pod needs to terminate gracefully.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down) which may lead to data corruption.\n\nDefaults to 600 seconds.","type":"integer","format":"int64","minimum":0},"tolerations":{"description":"tolerations defines the Pods' tolerations if specified.","type":"array","items":{"description":"The pod this Toleration is attached to tolerates any taint that matches\nthe triple <key,value,effect> using the matching operator <operator>.","type":"object","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.","type":"string"},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.","type":"string"},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.","type":"integer","format":"int64"},"value":{"description":"Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.","type":"string"}}}},"topologySpreadConstraints":{"description":"topologySpreadConstraints defines the pod's topology spread constraints if specified.","type":"array","items":{"type":"object","required":["maxSkew","topologyKey","whenUnsatisfiable"],"properties":{"additionalLabelSelectors":{"description":"additionalLabelSelectors Defines what Prometheus Operator managed labels should be added to labelSelector on the topologySpreadConstraint.","type":"string","enum":["OnResource","OnShard"]},"labelSelector":{"description":"LabelSelector is used to find matching pods.\nPods that match this label selector are counted to determine the number of pods\nin their corresponding topology domain.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select the pods over which\nspreading will be calculated. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are ANDed with labelSelector\nto select the group of existing pods over which spreading will be calculated\nfor the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.\nMatchLabelKeys cannot be set when LabelSelector isn't set.\nKeys that don't exist in the incoming pod labels will\nbe ignored. A null or empty list means only match against labelSelector.\n\nThis is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"maxSkew":{"description":"MaxSkew describes the degree to which pods may be unevenly distributed.\nWhen `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference\nbetween the number of matching pods in the target topology and the global minimum.\nThe global minimum is the minimum number of matching pods in an eligible domain\nor zero if the number of eligible domains is less than MinDomains.\nFor example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same\nlabelSelector spread as 2/2/1:\nIn this case, the global minimum is 1.\n| zone1 | zone2 | zone3 |\n|  P P  |  P P  |   P   |\n- if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;\nscheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)\nviolate MaxSkew(1).\n- if MaxSkew is 2, incoming pod can be scheduled onto any zone.\nWhen `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence\nto topologies that satisfy it.\nIt's a required field. Default value is 1 and 0 is not allowed.","type":"integer","format":"int32"},"minDomains":{"description":"MinDomains indicates a minimum number of eligible domains.\nWhen the number of eligible domains with matching topology keys is less than minDomains,\nPod Topology Spread treats \"global minimum\" as 0, and then the calculation of Skew is performed.\nAnd when the number of eligible domains with matching topology keys equals or greater than minDomains,\nthis value has no effect on scheduling.\nAs a result, when the number of eligible domains is less than minDomains,\nscheduler won't schedule more than maxSkew Pods to those domains.\nIf value is nil, the constraint behaves as if MinDomains is equal to 1.\nValid values are integers greater than 0.\nWhen value is not nil, WhenUnsatisfiable must be DoNotSchedule.\n\nFor example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same\nlabelSelector spread as 2/2/2:\n| zone1 | zone2 | zone3 |\n|  P P  |  P P  |  P P  |\nThe number of domains is less than 5(MinDomains), so \"global minimum\" is treated as 0.\nIn this situation, new pod with the same labelSelector cannot be scheduled,\nbecause computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,\nit will violate MaxSkew.","type":"integer","format":"int32"},"nodeAffinityPolicy":{"description":"NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector\nwhen calculating pod topology spread skew. Options are:\n- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.\n- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.\n\nIf this value is nil, the behavior is equivalent to the Honor policy.","type":"string"},"nodeTaintsPolicy":{"description":"NodeTaintsPolicy indicates how we will treat node taints when calculating\npod topology spread skew. Options are:\n- Honor: nodes without taints, along with tainted nodes for which the incoming pod\nhas a toleration, are included.\n- Ignore: node taints are ignored. All nodes are included.\n\nIf this value is nil, the behavior is equivalent to the Ignore policy.","type":"string"},"topologyKey":{"description":"TopologyKey is the key of node labels. Nodes that have a label with this key\nand identical values are considered to be in the same topology.\nWe consider each <key, value> as a \"bucket\", and try to put balanced number\nof pods into each bucket.\nWe define a domain as a particular instance of a topology.\nAlso, we define an eligible domain as a domain whose nodes meet the requirements of\nnodeAffinityPolicy and nodeTaintsPolicy.\ne.g. If TopologyKey is \"kubernetes.io/hostname\", each Node is a domain of that topology.\nAnd, if TopologyKey is \"topology.kubernetes.io/zone\", each zone is a domain of that topology.\nIt's a required field.","type":"string"},"whenUnsatisfiable":{"description":"WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy\nthe spread constraint.\n- DoNotSchedule (default) tells the scheduler not to schedule it.\n- ScheduleAnyway tells the scheduler to schedule the pod in any location,\n  but giving higher precedence to topologies that would help reduce the\n  skew.\nA constraint is considered \"Unsatisfiable\" for an incoming pod\nif and only if every possible node assignment for that pod would violate\n\"MaxSkew\" on some topology.\nFor example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same\nlabelSelector spread as 3/1/1:\n| zone1 | zone2 | zone3 |\n| P P P |   P   |   P   |\nIf WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled\nto zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies\nMaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler\nwon't make it *more* imbalanced.\nIt's a required field.","type":"string"}}}},"tracingConfig":{"description":"tracingConfig defines tracing in Prometheus.\n\nThis is an *experimental feature*, it may change in any upcoming release\nin a breaking way.","type":"object","required":["endpoint"],"properties":{"clientType":{"description":"clientType defines the client used to export the traces. Supported values are `HTTP` and `GRPC`.","type":"string","enum":["http","grpc","HTTP","GRPC"]},"compression":{"description":"compression key for supported compression types. The only supported value is `Gzip`.","type":"string","enum":["gzip","Gzip"]},"endpoint":{"description":"endpoint to send the traces to. Should be provided in format <host>:<port>.","type":"string","minLength":1},"headers":{"description":"headers defines the key-value pairs to be used as headers associated with gRPC or HTTP requests.","type":"object","additionalProperties":{"type":"string"}},"insecure":{"description":"insecure if disabled, the client will use a secure connection.","type":"boolean"},"samplingFraction":{"description":"samplingFraction defines the probability a given trace will be sampled. Must be a float from 0 through 1.","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"timeout":{"description":"timeout defines the maximum time the exporter will wait for each batch export.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"tlsConfig":{"description":"tlsConfig to use when sending traces.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"caFile":{"description":"caFile defines the path to the CA cert in the Prometheus container to use for the targets.","type":"string"},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the client cert file in the Prometheus container for the targets.","type":"string"},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keyFile":{"description":"keyFile defines the path to the client key file in the Prometheus container for the targets.","type":"string"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}},"tsdb":{"description":"tsdb defines the runtime reloadable configuration of the timeseries database(TSDB).\nIt requires Prometheus >= v2.39.0 or PrometheusAgent >= v2.54.0.","type":"object","properties":{"outOfOrderTimeWindow":{"description":"outOfOrderTimeWindow defines how old an out-of-order/out-of-bounds sample can be with\nrespect to the TSDB max time.\n\nAn out-of-order/out-of-bounds sample is ingested into the TSDB as long as\nthe timestamp of the sample is >= (TSDB.MaxTime - outOfOrderTimeWindow).\n\nThis is an *experimental feature*, it may change in any upcoming release\nin a breaking way.\n\nIt requires Prometheus >= v2.39.0 or PrometheusAgent >= v2.54.0.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"}}},"updateStrategy":{"description":"updateStrategy indicates the strategy that will be employed to update\nPods in the StatefulSet when a revision is made to statefulset's Pod\nTemplate.\n\nThe default strategy is RollingUpdate.","type":"object","required":["type"],"properties":{"rollingUpdate":{"description":"rollingUpdate is used to communicate parameters when type is RollingUpdate.","type":"object","properties":{"maxUnavailable":{"description":"maxUnavailable is the maximum number of pods that can be unavailable\nduring the update. The value can be an absolute number (ex: 5) or a\npercentage of desired pods (ex: 10%). Absolute number is calculated from\npercentage by rounding up. This can not be 0.  Defaults to 1. This field\nis alpha-level and is only honored by servers that enable the\nMaxUnavailableStatefulSet feature. The field applies to all pods in the\nrange 0 to Replicas-1.  That means if there is any unavailable pod in\nthe range 0 to Replicas-1, it will be counted towards MaxUnavailable.","x-kubernetes-int-or-string":true}}},"type":{"description":"type indicates the type of the StatefulSetUpdateStrategy.\n\nDefault is RollingUpdate.","type":"string","enum":["OnDelete","RollingUpdate"]}},"x-kubernetes-validations":[{"message":"rollingUpdate requires type to be RollingUpdate","rule":"!(self.type != 'RollingUpdate' && has(self.rollingUpdate))"}]},"version":{"description":"version of Prometheus being deployed. The operator uses this information\nto generate the Prometheus StatefulSet + configuration files.\n\nIf not specified, the operator assumes the latest upstream version of\nPrometheus available at the time when the version of the operator was\nreleased.","type":"string"},"volumeMounts":{"description":"volumeMounts allows the configuration of additional VolumeMounts.\n\nVolumeMounts will be appended to other VolumeMounts in the 'prometheus'\ncontainer, that are generated as a result of StorageSpec objects.","type":"array","items":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["mountPath","name"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted.  Must\nnot contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host\nto container and the other way around.\nWhen not set, MountPropagationNone is used.\nThis field is beta in 1.10.\nWhen RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified\n(which defaults to None).","type":"string"},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified).\nDefaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled\nrecursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made\nrecursively read-only.  If this field is set to IfPossible, the mount is made\nrecursively read-only, if it is supported by the container runtime.  If this\nfield is set to Enabled, the mount is made recursively read-only if it is\nsupported by the container runtime, otherwise the pod will not be started and\nan error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to\nNone (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted.\nDefaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted.\nBehaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.\nDefaults to \"\" (volume's root).\nSubPathExpr and SubPath are mutually exclusive.","type":"string"}}}},"volumes":{"description":"volumes allows the configuration of additional volumes on the output\nStatefulSet definition. Volumes specified will be appended to other\nvolumes that are generated as a result of StorageSpec objects.","type":"array","items":{"description":"Volume represents a named volume in a pod that may be accessed by any container in the pod.","type":"object","required":["name"],"properties":{"awsElasticBlockStore":{"description":"awsElasticBlockStore represents an AWS Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nDeprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree\nawsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"string"},"partition":{"description":"partition is the partition in the volume that you want to mount.\nIf omitted, the default is to mount by volume name.\nExamples: For volume /dev/sda1, you specify the partition as \"1\".\nSimilarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).","type":"integer","format":"int32"},"readOnly":{"description":"readOnly value true will force the readOnly setting in VolumeMounts.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"boolean"},"volumeID":{"description":"volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"string"}}},"azureDisk":{"description":"azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.\nDeprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type\nare redirected to the disk.csi.azure.com CSI driver.","type":"object","required":["diskName","diskURI"],"properties":{"cachingMode":{"description":"cachingMode is the Host Caching mode: None, Read Only, Read Write.","type":"string"},"diskName":{"description":"diskName is the Name of the data disk in the blob storage","type":"string"},"diskURI":{"description":"diskURI is the URI of data disk in the blob storage","type":"string"},"fsType":{"description":"fsType is Filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"kind":{"description":"kind expected values are Shared: multiple blob disks per storage account  Dedicated: single blob disk per storage account  Managed: azure managed data disk (only in managed availability set). defaults to shared","type":"string"},"readOnly":{"description":"readOnly Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"}}},"azureFile":{"description":"azureFile represents an Azure File Service mount on the host and bind mount to the pod.\nDeprecated: AzureFile is deprecated. All operations for the in-tree azureFile type\nare redirected to the file.csi.azure.com CSI driver.","type":"object","required":["secretName","shareName"],"properties":{"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretName":{"description":"secretName is the  name of secret that contains Azure Storage Account Name and Key","type":"string"},"shareName":{"description":"shareName is the azure share Name","type":"string"}}},"cephfs":{"description":"cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.\nDeprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.","type":"object","required":["monitors"],"properties":{"monitors":{"description":"monitors is Required: Monitors is a collection of Ceph monitors\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"path":{"description":"path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /","type":"string"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"boolean"},"secretFile":{"description":"secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"},"secretRef":{"description":"secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"description":"user is optional: User is the rados user name, default is admin\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"}}},"cinder":{"description":"cinder represents a cinder volume attached and mounted on kubelets host machine.\nDeprecated: Cinder is deprecated. All operations for the in-tree cinder type\nare redirected to the cinder.csi.openstack.org CSI driver.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"boolean"},"secretRef":{"description":"secretRef is optional: points to a secret object containing parameters used to connect\nto OpenStack.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeID":{"description":"volumeID used to identify the volume in cinder.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"}}},"configMap":{"description":"configMap represents a configMap that should populate this volume","type":"object","properties":{"defaultMode":{"description":"defaultMode is optional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDefaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced\nConfigMap will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the ConfigMap,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional specify whether the ConfigMap or its keys must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"csi":{"description":"csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.","type":"object","required":["driver"],"properties":{"driver":{"description":"driver is the name of the CSI driver that handles this volume.\nConsult with your admin for the correct name as registered in the cluster.","type":"string"},"fsType":{"description":"fsType to mount. Ex. \"ext4\", \"xfs\", \"ntfs\".\nIf not provided, the empty value is passed to the associated CSI driver\nwhich will determine the default filesystem to apply.","type":"string"},"nodePublishSecretRef":{"description":"nodePublishSecretRef is a reference to the secret object containing\nsensitive information to pass to the CSI driver to complete the CSI\nNodePublishVolume and NodeUnpublishVolume calls.\nThis field is optional, and  may be empty if no secret is required. If the\nsecret object contains more than one secret, all secret references are passed.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"readOnly":{"description":"readOnly specifies a read-only configuration for the volume.\nDefaults to false (read/write).","type":"boolean"},"volumeAttributes":{"description":"volumeAttributes stores driver-specific properties that are passed to the CSI\ndriver. Consult your driver's documentation for supported values.","type":"object","additionalProperties":{"type":"string"}}}},"downwardAPI":{"description":"downwardAPI represents downward API about the pod that should populate this volume","type":"object","properties":{"defaultMode":{"description":"Optional: mode bits to use on created files by default. Must be a\nOptional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDefaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"Items is a list of downward API volume file","type":"array","items":{"description":"DownwardAPIVolumeFile represents information to create the file containing the pod field","type":"object","required":["path"],"properties":{"fieldRef":{"description":"Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"description":"Optional: mode bits used to set permissions on this file, must be an octal value\nbetween 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'","type":"string"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"emptyDir":{"description":"emptyDir represents a temporary directory that shares a pod's lifetime.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","type":"object","properties":{"medium":{"description":"medium represents what type of storage medium should back this directory.\nThe default is \"\" which means to use the node's default medium.\nMust be an empty string (default) or Memory.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","type":"string"},"sizeLimit":{"description":"sizeLimit is the total amount of local storage required for this EmptyDir volume.\nThe size limit is also applicable for memory medium.\nThe maximum usage on memory medium EmptyDir would be the minimum value between\nthe SizeLimit specified here and the sum of memory limits of all containers in a pod.\nThe default is nil which means that the limit is undefined.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"ephemeral":{"description":"ephemeral represents a volume that is handled by a cluster storage driver.\nThe volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,\nand deleted when the pod is removed.\n\nUse this if:\na) the volume is only needed while the pod runs,\nb) features of normal volumes like restoring from snapshot or capacity\n   tracking are needed,\nc) the storage driver is specified through a storage class, and\nd) the storage driver supports dynamic volume provisioning through\n   a PersistentVolumeClaim (see EphemeralVolumeSource for more\n   information on the connection between this volume type\n   and PersistentVolumeClaim).\n\nUse PersistentVolumeClaim or one of the vendor-specific\nAPIs for volumes that persist for longer than the lifecycle\nof an individual pod.\n\nUse CSI for light-weight local ephemeral volumes if the CSI driver is meant to\nbe used that way - see the documentation of the driver for\nmore information.\n\nA pod can use both types of ephemeral volumes and\npersistent volumes at the same time.","type":"object","properties":{"volumeClaimTemplate":{"description":"Will be used to create a stand-alone PVC to provision the volume.\nThe pod in which this EphemeralVolumeSource is embedded will be the\nowner of the PVC, i.e. the PVC will be deleted together with the\npod.  The name of the PVC will be `<pod name>-<volume name>` where\n`<volume name>` is the name from the `PodSpec.Volumes` array\nentry. Pod validation will reject the pod if the concatenated name\nis not valid for a PVC (for example, too long).\n\nAn existing PVC with that name that is not owned by the pod\nwill *not* be used for the pod to avoid using an unrelated\nvolume by mistake. Starting the pod is then blocked until\nthe unrelated PVC is removed. If such a pre-created PVC is\nmeant to be used by the pod, the PVC has to updated with an\nowner reference to the pod once the pod exists. Normally\nthis should not be necessary, but it may be useful when\nmanually reconstructing a broken cluster.\n\nThis field is read-only and no changes will be made by Kubernetes\nto the PVC after it has been created.\n\nRequired, must not be nil.","type":"object","required":["spec"],"properties":{"metadata":{"description":"May contain labels and annotations that will be copied into the PVC\nwhen creating it. No other fields are allowed and will be rejected during\nvalidation.","type":"object"},"spec":{"description":"The specification for the PersistentVolumeClaim. The entire content is\ncopied unchanged into the PVC that gets created from this\ntemplate. The same fields as in a PersistentVolumeClaim\nare also valid here.","type":"object","properties":{"accessModes":{"description":"accessModes contains the desired access modes the volume should have.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"description":"dataSource field can be used to specify either:\n* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)\n* An existing PVC (PersistentVolumeClaim)\nIf the provisioner or an external controller can support the specified data source,\nit will create a new volume based on the contents of the specified data source.\nWhen the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,\nand dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.\nIf the namespace is specified, then dataSourceRef will not be copied to dataSource.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"description":"dataSourceRef specifies the object from which to populate the volume with data, if a non-empty\nvolume is desired. This may be any object from a non-empty API group (non\ncore object) or a PersistentVolumeClaim object.\nWhen this field is specified, volume binding will only succeed if the type of\nthe specified object matches some installed volume populator or dynamic\nprovisioner.\nThis field will replace the functionality of the dataSource field and as such\nif both fields are non-empty, they must have the same value. For backwards\ncompatibility, when namespace isn't specified in dataSourceRef,\nboth fields (dataSource and dataSourceRef) will be set to the same\nvalue automatically if one of them is empty and the other is non-empty.\nWhen namespace is specified in dataSourceRef,\ndataSource isn't set to the same value and must be empty.\nThere are three important differences between dataSource and dataSourceRef:\n* While dataSource only allows two specific types of objects, dataSourceRef\n  allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n  preserves all values, and generates an error if a disallowed value is\n  specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n  in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.\n(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"},"namespace":{"description":"Namespace is the namespace of resource being referenced\nNote that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.\n(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"string"}}},"resources":{"description":"resources represents the minimum resources the volume should have.\nIf RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements\nthat are lower than previous value but must still be higher than capacity recorded in the\nstatus field of the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources","type":"object","properties":{"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"description":"selector is a label query over volumes to consider for binding.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"description":"storageClassName is the name of the StorageClass required by the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1","type":"string"},"volumeAttributesClassName":{"description":"volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string or nil value indicates that no\nVolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,\nthis field can be reset to its previous value (including nil) to cancel the modification.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/","type":"string"},"volumeMode":{"description":"volumeMode defines what type of volume is required by the claim.\nValue of Filesystem is implied when not included in claim spec.","type":"string"},"volumeName":{"description":"volumeName is the binding reference to the PersistentVolume backing this claim.","type":"string"}}}}}}},"fc":{"description":"fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.","type":"object","properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"lun":{"description":"lun is Optional: FC target lun number","type":"integer","format":"int32"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"targetWWNs":{"description":"targetWWNs is Optional: FC target worldwide names (WWNs)","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"wwids":{"description":"wwids Optional: FC volume world wide identifiers (wwids)\nEither wwids or combination of targetWWNs and lun must be set, but not both simultaneously.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"flexVolume":{"description":"flexVolume represents a generic volume resource that is\nprovisioned/attached using an exec based plugin.\nDeprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.","type":"object","required":["driver"],"properties":{"driver":{"description":"driver is the name of the driver to use for this volume.","type":"string"},"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script.","type":"string"},"options":{"description":"options is Optional: this field holds extra command options if any.","type":"object","additionalProperties":{"type":"string"}},"readOnly":{"description":"readOnly is Optional: defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef is Optional: secretRef is reference to the secret object containing\nsensitive information to pass to the plugin scripts. This may be\nempty if no secret object is specified. If the secret object\ncontains more than one secret, all secrets are passed to the plugin\nscripts.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}}},"flocker":{"description":"flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.\nDeprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.","type":"object","properties":{"datasetName":{"description":"datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker\nshould be considered as deprecated","type":"string"},"datasetUUID":{"description":"datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset","type":"string"}}},"gcePersistentDisk":{"description":"gcePersistentDisk represents a GCE Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nDeprecated: GCEPersistentDisk is deprecated. All operations for the in-tree\ngcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"object","required":["pdName"],"properties":{"fsType":{"description":"fsType is filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"string"},"partition":{"description":"partition is the partition in the volume that you want to mount.\nIf omitted, the default is to mount by volume name.\nExamples: For volume /dev/sda1, you specify the partition as \"1\".\nSimilarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"integer","format":"int32"},"pdName":{"description":"pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"boolean"}}},"gitRepo":{"description":"gitRepo represents a git repository at a particular revision.\nDeprecated: GitRepo is deprecated. To provision a container with a git repo, mount an\nEmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir\ninto the Pod's container.","type":"object","required":["repository"],"properties":{"directory":{"description":"directory is the target directory name.\nMust not contain or start with '..'.  If '.' is supplied, the volume directory will be the\ngit repository.  Otherwise, if specified, the volume will contain the git repository in\nthe subdirectory with the given name.","type":"string"},"repository":{"description":"repository is the URL","type":"string"},"revision":{"description":"revision is the commit hash for the specified revision.","type":"string"}}},"glusterfs":{"description":"glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.\nDeprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.","type":"object","required":["endpoints","path"],"properties":{"endpoints":{"description":"endpoints is the endpoint name that details Glusterfs topology.","type":"string"},"path":{"description":"path is the Glusterfs volume path.\nMore info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"string"},"readOnly":{"description":"readOnly here will force the Glusterfs volume to be mounted with read-only permissions.\nDefaults to false.\nMore info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"boolean"}}},"hostPath":{"description":"hostPath represents a pre-existing file or directory on the host\nmachine that is directly exposed to the container. This is generally\nused for system agents or other privileged things that are allowed\nto see the host machine. Most containers will NOT need this.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"object","required":["path"],"properties":{"path":{"description":"path of the directory on the host.\nIf the path is a symlink, it will follow the link to the real path.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"string"},"type":{"description":"type for HostPath Volume\nDefaults to \"\"\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"string"}}},"image":{"description":"image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.\nThe volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.\n- Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.\n- IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.\nA failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.\nThe types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.\nThe OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.\nThe volume will be mounted read-only (ro) and non-executable files (noexec).\nSub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.\nThe field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.","type":"object","properties":{"pullPolicy":{"description":"Policy for pulling OCI objects. Possible values are:\nAlways: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.\nNever: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.\nIfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\nDefaults to Always if :latest tag is specified, or IfNotPresent otherwise.","type":"string"},"reference":{"description":"Required: Image or artifact reference to be used.\nBehaves in the same way as pod.spec.containers[*].image.\nPull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.\nMore info: https://kubernetes.io/docs/concepts/containers/images\nThis field is optional to allow higher level config management to default or override\ncontainer images in workload controllers like Deployments and StatefulSets.","type":"string"}}},"iscsi":{"description":"iscsi represents an ISCSI Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi","type":"object","required":["iqn","lun","targetPortal"],"properties":{"chapAuthDiscovery":{"description":"chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication","type":"boolean"},"chapAuthSession":{"description":"chapAuthSession defines whether support iSCSI Session CHAP authentication","type":"boolean"},"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi","type":"string"},"initiatorName":{"description":"initiatorName is the custom iSCSI Initiator Name.\nIf initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface\n<target portal>:<volume name> will be created for the connection.","type":"string"},"iqn":{"description":"iqn is the target iSCSI Qualified Name.","type":"string"},"iscsiInterface":{"description":"iscsiInterface is the interface Name that uses an iSCSI transport.\nDefaults to 'default' (tcp).","type":"string"},"lun":{"description":"lun represents iSCSI Target Lun number.","type":"integer","format":"int32"},"portals":{"description":"portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port\nis other than default (typically TCP ports 860 and 3260).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false.","type":"boolean"},"secretRef":{"description":"secretRef is the CHAP Secret for iSCSI target and initiator authentication","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"targetPortal":{"description":"targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port\nis other than default (typically TCP ports 860 and 3260).","type":"string"}}},"name":{"description":"name of the volume.\nMust be a DNS_LABEL and unique within the pod.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"nfs":{"description":"nfs represents an NFS mount on the host that shares a pod's lifetime\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"object","required":["path","server"],"properties":{"path":{"description":"path that is exported by the NFS server.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"string"},"readOnly":{"description":"readOnly here will force the NFS export to be mounted with read-only permissions.\nDefaults to false.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"boolean"},"server":{"description":"server is the hostname or IP address of the NFS server.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"string"}}},"persistentVolumeClaim":{"description":"persistentVolumeClaimVolumeSource represents a reference to a\nPersistentVolumeClaim in the same namespace.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"object","required":["claimName"],"properties":{"claimName":{"description":"claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"string"},"readOnly":{"description":"readOnly Will force the ReadOnly setting in VolumeMounts.\nDefault false.","type":"boolean"}}},"photonPersistentDisk":{"description":"photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.\nDeprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.","type":"object","required":["pdID"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"pdID":{"description":"pdID is the ID that identifies Photon Controller persistent disk","type":"string"}}},"portworxVolume":{"description":"portworxVolume represents a portworx volume attached and mounted on kubelets host machine.\nDeprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type\nare redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate\nis on.","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fSType represents the filesystem type to mount\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"volumeID":{"description":"volumeID uniquely identifies a Portworx volume","type":"string"}}},"projected":{"description":"projected items for all in one resources secrets, configmaps, and downward API","type":"object","properties":{"defaultMode":{"description":"defaultMode are the mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"sources":{"description":"sources is the list of volume projections. Each entry in this list\nhandles one source.","type":"array","items":{"description":"Projection that may be projected along with other supported volume types.\nExactly one of these fields must be set.","type":"object","properties":{"clusterTrustBundle":{"description":"ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field\nof ClusterTrustBundle objects in an auto-updating file.\n\nAlpha, gated by the ClusterTrustBundleProjection feature gate.\n\nClusterTrustBundle objects can either be selected by name, or by the\ncombination of signer name and a label selector.\n\nKubelet performs aggressive normalization of the PEM contents written\ninto the pod filesystem.  Esoteric PEM features such as inter-block\ncomments and block headers are stripped.  Certificates are deduplicated.\nThe ordering of certificates within the file is arbitrary, and Kubelet\nmay change the order over time.","type":"object","required":["path"],"properties":{"labelSelector":{"description":"Select all ClusterTrustBundles that match this label selector.  Only has\neffect if signerName is set.  Mutually-exclusive with name.  If unset,\ninterpreted as \"match nothing\".  If set but empty, interpreted as \"match\neverything\".","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"name":{"description":"Select a single ClusterTrustBundle by object name.  Mutually-exclusive\nwith signerName and labelSelector.","type":"string"},"optional":{"description":"If true, don't block pod startup if the referenced ClusterTrustBundle(s)\naren't available.  If using name, then the named ClusterTrustBundle is\nallowed not to exist.  If using signerName, then the combination of\nsignerName and labelSelector is allowed to match zero\nClusterTrustBundles.","type":"boolean"},"path":{"description":"Relative path from the volume root to write the bundle.","type":"string"},"signerName":{"description":"Select all ClusterTrustBundles that match this signer name.\nMutually-exclusive with name.  The contents of all selected\nClusterTrustBundles will be unified and deduplicated.","type":"string"}}},"configMap":{"description":"configMap information about the configMap data to project","type":"object","properties":{"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced\nConfigMap will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the ConfigMap,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional specify whether the ConfigMap or its keys must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"downwardAPI":{"description":"downwardAPI information about the downwardAPI data to project","type":"object","properties":{"items":{"description":"Items is a list of DownwardAPIVolume file","type":"array","items":{"description":"DownwardAPIVolumeFile represents information to create the file containing the pod field","type":"object","required":["path"],"properties":{"fieldRef":{"description":"Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"description":"Optional: mode bits used to set permissions on this file, must be an octal value\nbetween 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'","type":"string"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"podCertificate":{"description":"Projects an auto-rotating credential bundle (private key and certificate\nchain) that the pod can use either as a TLS client or server.\n\nKubelet generates a private key and uses it to send a\nPodCertificateRequest to the named signer.  Once the signer approves the\nrequest and issues a certificate chain, Kubelet writes the key and\ncertificate chain to the pod filesystem.  The pod does not start until\ncertificates have been issued for each podCertificate projected volume\nsource in its spec.\n\nKubelet will begin trying to rotate the certificate at the time indicated\nby the signer using the PodCertificateRequest.Status.BeginRefreshAt\ntimestamp.\n\nKubelet can write a single file, indicated by the credentialBundlePath\nfield, or separate files, indicated by the keyPath and\ncertificateChainPath fields.\n\nThe credential bundle is a single file in PEM format.  The first PEM\nentry is the private key (in PKCS#8 format), and the remaining PEM\nentries are the certificate chain issued by the signer (typically,\nsigners will return their certificate chain in leaf-to-root order).\n\nPrefer using the credential bundle format, since your application code\ncan read it atomically.  If you use keyPath and certificateChainPath,\nyour application must make two separate file reads. If these coincide\nwith a certificate rotation, it is possible that the private key and leaf\ncertificate you read may not correspond to each other.  Your application\nwill need to check for this condition, and re-read until they are\nconsistent.\n\nThe named signer controls chooses the format of the certificate it\nissues; consult the signer implementation's documentation to learn how to\nuse the certificates it issues.","type":"object","required":["keyType","signerName"],"properties":{"certificateChainPath":{"description":"Write the certificate chain at this path in the projected volume.\n\nMost applications should use credentialBundlePath.  When using keyPath\nand certificateChainPath, your application needs to check that the key\nand leaf certificate are consistent, because it is possible to read the\nfiles mid-rotation.","type":"string"},"credentialBundlePath":{"description":"Write the credential bundle at this path in the projected volume.\n\nThe credential bundle is a single file that contains multiple PEM blocks.\nThe first PEM block is a PRIVATE KEY block, containing a PKCS#8 private\nkey.\n\nThe remaining blocks are CERTIFICATE blocks, containing the issued\ncertificate chain from the signer (leaf and any intermediates).\n\nUsing credentialBundlePath lets your Pod's application code make a single\natomic read that retrieves a consistent key and certificate chain.  If you\nproject them to separate files, your application code will need to\nadditionally check that the leaf certificate was issued to the key.","type":"string"},"keyPath":{"description":"Write the key at this path in the projected volume.\n\nMost applications should use credentialBundlePath.  When using keyPath\nand certificateChainPath, your application needs to check that the key\nand leaf certificate are consistent, because it is possible to read the\nfiles mid-rotation.","type":"string"},"keyType":{"description":"The type of keypair Kubelet will generate for the pod.\n\nValid values are \"RSA3072\", \"RSA4096\", \"ECDSAP256\", \"ECDSAP384\",\n\"ECDSAP521\", and \"ED25519\".","type":"string"},"maxExpirationSeconds":{"description":"maxExpirationSeconds is the maximum lifetime permitted for the\ncertificate.\n\nKubelet copies this value verbatim into the PodCertificateRequests it\ngenerates for this projection.\n\nIf omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver\nwill reject values shorter than 3600 (1 hour).  The maximum allowable\nvalue is 7862400 (91 days).\n\nThe signer implementation is then free to issue a certificate with any\nlifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600\nseconds (1 hour).  This constraint is enforced by kube-apiserver.\n`kubernetes.io` signers will never issue certificates with a lifetime\nlonger than 24 hours.","type":"integer","format":"int32"},"signerName":{"description":"Kubelet's generated CSRs will be addressed to this signer.","type":"string"}}},"secret":{"description":"secret information about the secret data to project","type":"object","properties":{"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced\nSecret will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the Secret,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional field specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"serviceAccountToken":{"description":"serviceAccountToken is information about the serviceAccountToken data to project","type":"object","required":["path"],"properties":{"audience":{"description":"audience is the intended audience of the token. A recipient of a token\nmust identify itself with an identifier specified in the audience of the\ntoken, and otherwise should reject the token. The audience defaults to the\nidentifier of the apiserver.","type":"string"},"expirationSeconds":{"description":"expirationSeconds is the requested duration of validity of the service\naccount token. As the token approaches expiration, the kubelet volume\nplugin will proactively rotate the service account token. The kubelet will\nstart trying to rotate the token if the token is older than 80 percent of\nits time to live or if the token is older than 24 hours.Defaults to 1 hour\nand must be at least 10 minutes.","type":"integer","format":"int64"},"path":{"description":"path is the path relative to the mount point of the file to project the\ntoken into.","type":"string"}}}}},"x-kubernetes-list-type":"atomic"}}},"quobyte":{"description":"quobyte represents a Quobyte mount on the host that shares a pod's lifetime.\nDeprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.","type":"object","required":["registry","volume"],"properties":{"group":{"description":"group to map volume access to\nDefault is no group","type":"string"},"readOnly":{"description":"readOnly here will force the Quobyte volume to be mounted with read-only permissions.\nDefaults to false.","type":"boolean"},"registry":{"description":"registry represents a single or multiple Quobyte Registry services\nspecified as a string as host:port pair (multiple entries are separated with commas)\nwhich acts as the central registry for volumes","type":"string"},"tenant":{"description":"tenant owning the given Quobyte volume in the Backend\nUsed with dynamically provisioned Quobyte volumes, value is set by the plugin","type":"string"},"user":{"description":"user to map volume access to\nDefaults to serivceaccount user","type":"string"},"volume":{"description":"volume is a string that references an already created Quobyte volume by name.","type":"string"}}},"rbd":{"description":"rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.\nDeprecated: RBD is deprecated and the in-tree rbd type is no longer supported.","type":"object","required":["image","monitors"],"properties":{"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#rbd","type":"string"},"image":{"description":"image is the rados image name.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"keyring":{"description":"keyring is the path to key ring for RBDUser.\nDefault is /etc/ceph/keyring.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"monitors":{"description":"monitors is a collection of Ceph monitors.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"pool":{"description":"pool is the rados pool name.\nDefault is rbd.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"boolean"},"secretRef":{"description":"secretRef is name of the authentication secret for RBDUser. If provided\noverrides keyring.\nDefault is nil.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"description":"user is the rados user name.\nDefault is admin.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"}}},"scaleIO":{"description":"scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.\nDeprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.","type":"object","required":["gateway","secretRef","system"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\".\nDefault is \"xfs\".","type":"string"},"gateway":{"description":"gateway is the host address of the ScaleIO API Gateway.","type":"string"},"protectionDomain":{"description":"protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.","type":"string"},"readOnly":{"description":"readOnly Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef references to the secret for ScaleIO user and other\nsensitive information. If this is not provided, Login operation will fail.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"sslEnabled":{"description":"sslEnabled Flag enable/disable SSL communication with Gateway, default false","type":"boolean"},"storageMode":{"description":"storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.\nDefault is ThinProvisioned.","type":"string"},"storagePool":{"description":"storagePool is the ScaleIO Storage Pool associated with the protection domain.","type":"string"},"system":{"description":"system is the name of the storage system as configured in ScaleIO.","type":"string"},"volumeName":{"description":"volumeName is the name of a volume already created in the ScaleIO system\nthat is associated with this volume source.","type":"string"}}},"secret":{"description":"secret represents a secret that should populate this volume.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#secret","type":"object","properties":{"defaultMode":{"description":"defaultMode is Optional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values\nfor mode bits. Defaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"items If unspecified, each key-value pair in the Data field of the referenced\nSecret will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the Secret,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'.","type":"array","items":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"optional":{"description":"optional field specify whether the Secret or its keys must be defined","type":"boolean"},"secretName":{"description":"secretName is the name of the secret in the pod's namespace to use.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#secret","type":"string"}}},"storageos":{"description":"storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.\nDeprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.","type":"object","properties":{"fsType":{"description":"fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef specifies the secret to use for obtaining the StorageOS API\ncredentials.  If not specified, default values will be attempted.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeName":{"description":"volumeName is the human-readable name of the StorageOS volume.  Volume\nnames are only unique within a namespace.","type":"string"},"volumeNamespace":{"description":"volumeNamespace specifies the scope of the volume within StorageOS.  If no\nnamespace is specified then the Pod's namespace will be used.  This allows the\nKubernetes name scoping to be mirrored within StorageOS for tighter integration.\nSet VolumeName to any name to override the default behaviour.\nSet to \"default\" if you are not using namespaces within StorageOS.\nNamespaces that do not pre-exist within StorageOS will be created.","type":"string"}}},"vsphereVolume":{"description":"vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.\nDeprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type\nare redirected to the csi.vsphere.vmware.com CSI driver.","type":"object","required":["volumePath"],"properties":{"fsType":{"description":"fsType is filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"storagePolicyID":{"description":"storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.","type":"string"},"storagePolicyName":{"description":"storagePolicyName is the storage Policy Based Management (SPBM) profile name.","type":"string"},"volumePath":{"description":"volumePath is the path that identifies vSphere volume vmdk","type":"string"}}}}}},"walCompression":{"description":"walCompression defines the compression of the write-ahead log (WAL) using Snappy.\n\nWAL compression is enabled by default for Prometheus >= 2.20.0\n\nRequires Prometheus v2.11.0 and above.","type":"boolean"},"web":{"description":"web defines the configuration of the Prometheus web server.","type":"object","properties":{"httpConfig":{"description":"httpConfig defines HTTP parameters for web server.","type":"object","properties":{"headers":{"description":"headers defines a list of headers that can be added to HTTP responses.","type":"object","properties":{"contentSecurityPolicy":{"description":"contentSecurityPolicy defines the Content-Security-Policy header to HTTP responses.\nUnset if blank.","type":"string"},"strictTransportSecurity":{"description":"strictTransportSecurity defines the Strict-Transport-Security header to HTTP responses.\nUnset if blank.\nPlease make sure that you use this with care as this header might force\nbrowsers to load Prometheus and the other applications hosted on the same\ndomain and subdomains over HTTPS.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security","type":"string"},"xContentTypeOptions":{"description":"xContentTypeOptions defines the X-Content-Type-Options header to HTTP responses.\nUnset if blank. Accepted value is nosniff.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options","type":"string","enum":["","NoSniff"]},"xFrameOptions":{"description":"xFrameOptions defines the X-Frame-Options header to HTTP responses.\nUnset if blank. Accepted values are deny and sameorigin.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options","type":"string","enum":["","Deny","SameOrigin"]},"xXSSProtection":{"description":"xXSSProtection defines the X-XSS-Protection header to all responses.\nUnset if blank.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection","type":"string"}}},"http2":{"description":"http2 enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.\nWhen TLSConfig is not configured, HTTP/2 will be disabled.\nWhenever the value of the field changes, a rolling update will be triggered.","type":"boolean"}}},"maxConnections":{"description":"maxConnections defines the maximum number of simultaneous connections\nA zero value means that Prometheus doesn't accept any incoming connection.","type":"integer","format":"int32","minimum":0},"pageTitle":{"description":"pageTitle defines the prometheus web page title.","type":"string"},"tlsConfig":{"description":"tlsConfig defines the TLS parameters for HTTPS.","type":"object","properties":{"cert":{"description":"cert defines the Secret or ConfigMap containing the TLS certificate for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `certFile`.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"certFile":{"description":"certFile defines the path to the TLS certificate file in the container for the web server.\n\nEither `keySecret` or `keyFile` must be defined.\n\nIt is mutually exclusive with `cert`.","type":"string"},"cipherSuites":{"description":"cipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.\n\nIf not defined, the Go default cipher suites are used.\nAvailable cipher suites are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#pkg-constants","type":"array","items":{"type":"string"}},"clientAuthType":{"description":"clientAuthType defines the server policy for client TLS authentication.\n\nFor more detail on clientAuth options:\nhttps://golang.org/pkg/crypto/tls/#ClientAuthType","type":"string"},"clientCAFile":{"description":"clientCAFile defines the path to the CA certificate file for client certificate authentication to\nthe server.\n\nIt is mutually exclusive with `client_ca`.","type":"string"},"client_ca":{"description":"client_ca defines the Secret or ConfigMap containing the CA certificate for client certificate\nauthentication to the server.\n\nIt is mutually exclusive with `clientCAFile`.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"curvePreferences":{"description":"curvePreferences defines elliptic curves that will be used in an ECDHE handshake, in preference\norder.\n\nAvailable curves are documented in the Go documentation:\nhttps://golang.org/pkg/crypto/tls/#CurveID","type":"array","items":{"type":"string"}},"keyFile":{"description":"keyFile defines the path to the TLS private key file in the container for the web server.\n\nIf defined, either `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keySecret`.","type":"string"},"keySecret":{"description":"keySecret defines the secret containing the TLS private key for the web server.\n\nEither `cert` or `certFile` must be defined.\n\nIt is mutually exclusive with `keyFile`.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the Maximum TLS version that is acceptable.","type":"string"},"minVersion":{"description":"minVersion defines the minimum TLS version that is acceptable.","type":"string"},"preferServerCipherSuites":{"description":"preferServerCipherSuites defines whether the server selects the client's most preferred cipher\nsuite, or the server's most preferred cipher suite.\n\nIf true then the server's preference, as expressed in\nthe order of elements in cipherSuites, is used.","type":"boolean"}}}}}},"x-kubernetes-validations":[{"message":"replicas cannot be set when mode is DaemonSet","rule":"!(has(self.mode) && self.mode == 'DaemonSet' && has(self.replicas))"},{"message":"storage cannot be set when mode is DaemonSet","rule":"!(has(self.mode) && self.mode == 'DaemonSet' && has(self.storage))"},{"message":"shards cannot be greater than 1 when mode is DaemonSet","rule":"!(has(self.mode) && self.mode == 'DaemonSet' && has(self.shards) && self.shards > 1)"},{"message":"persistentVolumeClaimRetentionPolicy cannot be set when mode is DaemonSet","rule":"!(has(self.mode) && self.mode == 'DaemonSet' && has(self.persistentVolumeClaimRetentionPolicy))"},{"message":"scrapeConfigSelector cannot be set when mode is DaemonSet","rule":"!(has(self.mode) && self.mode == 'DaemonSet' && has(self.scrapeConfigSelector))"},{"message":"probeSelector cannot be set when mode is DaemonSet","rule":"!(has(self.mode) && self.mode == 'DaemonSet' && has(self.probeSelector))"},{"message":"scrapeConfigNamespaceSelector cannot be set when mode is DaemonSet","rule":"!(has(self.mode) && self.mode == 'DaemonSet' && has(self.scrapeConfigNamespaceSelector))"},{"message":"probeNamespaceSelector cannot be set when mode is DaemonSet","rule":"!(has(self.mode) && self.mode == 'DaemonSet' && has(self.probeNamespaceSelector))"},{"message":"serviceMonitorSelector cannot be set when mode is DaemonSet","rule":"!(has(self.mode) && self.mode == 'DaemonSet' && has(self.serviceMonitorSelector))"},{"message":"serviceMonitorNamespaceSelector cannot be set when mode is DaemonSet","rule":"!(has(self.mode) && self.mode == 'DaemonSet' && has(self.serviceMonitorNamespaceSelector))"},{"message":"additionalScrapeConfigs cannot be set when mode is DaemonSet","rule":"!(has(self.mode) && self.mode == 'DaemonSet' && has(self.additionalScrapeConfigs))"}]},"status":{"description":"status defines the most recent observed status of the Prometheus cluster. Read-only.\nMore info:\nhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"availableReplicas":{"description":"availableReplicas defines the total number of available pods (ready for at least minReadySeconds)\ntargeted by this Prometheus deployment.","type":"integer","format":"int32"},"conditions":{"description":"conditions defines the current state of the Prometheus deployment.","type":"array","items":{"description":"Condition represents the state of the resources associated with the\nPrometheus, Alertmanager or ThanosRuler resource.","type":"object","required":["lastTransitionTime","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the time of the last update to the current status property.","type":"string","format":"date-time"},"message":{"description":"message defines human-readable message indicating details for the condition's last transition.","type":"string"},"observedGeneration":{"description":"observedGeneration defines the .metadata.generation that the\ncondition was set based upon. For instance, if `.metadata.generation` is\ncurrently 12, but the `.status.conditions[].observedGeneration` is 9, the\ncondition is out of date with respect to the current state of the\ninstance.","type":"integer","format":"int64"},"reason":{"description":"reason for the condition's last transition.","type":"string"},"status":{"description":"status of the condition.","type":"string","minLength":1},"type":{"description":"type of the condition being reported.","type":"string","minLength":1}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"paused":{"description":"paused defines whether any actions on the underlying managed objects are\nbeing performed. Only delete actions will be performed.","type":"boolean"},"replicas":{"description":"replicas defines the total number of non-terminated pods targeted by this Prometheus deployment\n(their labels match the selector).","type":"integer","format":"int32"},"selector":{"description":"selector used to match the pods targeted by this Prometheus resource.","type":"string"},"shardStatuses":{"description":"shardStatuses defines the list has one entry per shard. Each entry provides a summary of the shard status.","type":"array","items":{"type":"object","required":["availableReplicas","replicas","shardID","unavailableReplicas","updatedReplicas"],"properties":{"availableReplicas":{"description":"availableReplicas defines the total number of available pods (ready for at least minReadySeconds)\ntargeted by this shard.","type":"integer","format":"int32"},"replicas":{"description":"replicas defines the total number of pods targeted by this shard.","type":"integer","format":"int32"},"shardID":{"description":"shardID defines the identifier of the shard.","type":"string"},"unavailableReplicas":{"description":"unavailableReplicas defines the Total number of unavailable pods targeted by this shard.","type":"integer","format":"int32"},"updatedReplicas":{"description":"updatedReplicas defines the total number of non-terminated pods targeted by this shard\nthat have the desired spec.","type":"integer","format":"int32"}}},"x-kubernetes-list-map-keys":["shardID"],"x-kubernetes-list-type":"map"},"shards":{"description":"shards defines the most recently observed number of shards.","type":"integer","format":"int32"},"unavailableReplicas":{"description":"unavailableReplicas defines the total number of unavailable pods targeted by this Prometheus deployment.","type":"integer","format":"int32"},"updatedReplicas":{"description":"updatedReplicas defines the total number of non-terminated pods targeted by this Prometheus deployment\nthat have the desired version spec.","type":"integer","format":"int32"}}}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"PrometheusAgent","version":"v1alpha1"}],"title":"com.coreos.monitoring.v1alpha1.PrometheusAgent"},"com.coreos.monitoring.v1alpha1.PrometheusAgentList":{"description":"PrometheusAgentList is a list of PrometheusAgent","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of prometheusagents. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.coreos.monitoring.v1alpha1.PrometheusAgent"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"PrometheusAgentList","version":"v1alpha1"}],"title":"com.coreos.monitoring.v1alpha1.PrometheusAgentList"},"com.coreos.monitoring.v1alpha1.ScrapeConfig":{"description":"ScrapeConfig defines a namespaced Prometheus scrape_config to be aggregated across\nmultiple namespaces into the Prometheus configuration.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the specification of ScrapeConfigSpec.","type":"object","properties":{"authorization":{"description":"authorization defines the header to use on every scrape request.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"azureSDConfigs":{"description":"azureSDConfigs defines a list of Azure service discovery configurations.","type":"array","items":{"description":"AzureSDConfig allow retrieving scrape targets from Azure VMs.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#azure_sd_config","type":"object","required":["subscriptionID"],"properties":{"authenticationMethod":{"description":"authenticationMethod defines the authentication method, either `OAuth` or `ManagedIdentity` or `SDK`.\nSee https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview\nSDK authentication method uses environment variables by default.\nSee https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication","type":"string","enum":["OAuth","ManagedIdentity","SDK"]},"authorization":{"description":"authorization defines the authorization header configuration to authenticate against the target HTTP endpoint.\nCannot be set at the same time as `oAuth2`, or `basicAuth`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the information to authenticate against the target HTTP endpoint.\nMore info: https://prometheus.io/docs/operating/configuration/#endpoints\nCannot be set at the same time as `authorization`, or `oAuth2`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientID":{"description":"clientID defines client ID. Only required with the OAuth authentication method.","type":"string","minLength":1},"clientSecret":{"description":"clientSecret defines client secret. Only required with the OAuth authentication method.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"environment":{"description":"environment defines the Azure environment.","type":"string","minLength":1},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the configuration to use on every scrape request.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"port":{"description":"port defines the port to scrape metrics from. If using the public IP address, this must\ninstead be specified in the relabeling rule.","type":"integer","format":"int32","maximum":65535,"minimum":0},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"resourceGroup":{"description":"resourceGroup defines resource group name. Limits discovery to this resource group.\nRequires  Prometheus v2.35.0 and above","type":"string","minLength":1},"subscriptionID":{"description":"subscriptionID defines subscription ID. Always required.","type":"string","minLength":1},"tenantID":{"description":"tenantID defines tenant ID. Only required with the OAuth authentication method.","type":"string","minLength":1},"tlsConfig":{"description":"tlsConfig defies the TLS configuration applying to the target HTTP endpoint.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}}},"basicAuth":{"description":"basicAuth defines information to use on every scrape request.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"consulSDConfigs":{"description":"consulSDConfigs defines a list of Consul service discovery configurations.","type":"array","items":{"description":"ConsulSDConfig defines a Consul service discovery configuration\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#consul_sd_config","type":"object","required":["server"],"properties":{"allowStale":{"description":"allowStale Consul results (see https://www.consul.io/api/features/consistency.html). Will reduce load on Consul.\nIf unset, Prometheus uses its default value.","type":"boolean"},"authorization":{"description":"authorization defines the header configuration to authenticate against the Consul Server.\nCannot be set at the same time as `basicAuth`, or `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the information to authenticate against the Consul Server.\nMore info: https://prometheus.io/docs/operating/configuration/#endpoints\nCannot be set at the same time as `authorization`, or `oauth2`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"datacenter":{"description":"datacenter defines the consul Datacenter name, if not provided it will use the local Consul Agent Datacenter.","type":"string","minLength":1},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"filter":{"description":"filter defines the filter expression used to filter the catalog results.\nSee https://www.consul.io/api-docs/catalog#list-services\nIt requires Prometheus >= 3.0.0.","type":"string","minLength":1},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"namespace":{"description":"namespace are only supported in Consul Enterprise.\n\nIt requires Prometheus >= 2.28.0.","type":"string","minLength":1},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"nodeMeta":{"description":"nodeMeta defines the node metadata key/value pairs to filter nodes for a given service.\nStarting with Consul 1.14, it is recommended to use `filter` with the `NodeMeta` selector instead.","type":"object","additionalProperties":{"type":"string"},"x-kubernetes-map-type":"atomic"},"oauth2":{"description":"oauth2 defines the optional OAuth 2.0 configuration to authenticate against the target HTTP endpoint.\nCannot be set at the same time as `authorization`, or `basicAuth`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"partition":{"description":"partition defines the admin Partitions are only supported in Consul Enterprise.","type":"string","minLength":1},"pathPrefix":{"description":"pathPrefix defines the prefix for URIs for when consul is behind an API gateway (reverse proxy).\n\nIt requires Prometheus >= 2.45.0.","type":"string","minLength":1},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"scheme":{"description":"scheme defines the HTTP Scheme.","type":"string","enum":["http","https","HTTP","HTTPS"]},"server":{"description":"server defines the consul server address. A valid string consisting of a hostname or IP followed by an optional port number.","type":"string","minLength":1},"services":{"description":"services defines a list of services for which targets are retrieved. If omitted, all services are scraped.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"tagSeparator":{"description":"tagSeparator defines the string by which Consul tags are joined into the tag label.\nIf unset, Prometheus uses its default value.","type":"string","minLength":1},"tags":{"description":"tags defines an optional list of tags used to filter nodes for a given service. Services must contain all tags in the list.\nStarting with Consul 1.14, it is recommended to use `filter` with the `ServiceTags` selector instead.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Consul API.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenRef":{"description":"tokenRef defines the consul ACL TokenRef, if not provided it will use the ACL from the local Consul Agent.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}},"convertClassicHistogramsToNHCB":{"description":"convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native histogram with custom buckets.\nIt requires Prometheus >= v3.0.0.","type":"boolean"},"digitalOceanSDConfigs":{"description":"digitalOceanSDConfigs defines a list of DigitalOcean service discovery configurations.","type":"array","items":{"description":"DigitalOceanSDConfig allow retrieving scrape targets from DigitalOcean's Droplets API.\nThis service discovery uses the public IPv4 address by default, by that can be changed with relabeling\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#digitalocean_sd_config","type":"object","properties":{"authorization":{"description":"authorization defines the  header configuration to authenticate against the DigitalOcean API.\nCannot be set at the same time as `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the configuration to use on every scrape request.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"port":{"description":"port defines the port to scrape metrics from. If using the public IP address, this must","type":"integer","format":"int32","maximum":65535,"minimum":0},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Consul API.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}}},"dnsSDConfigs":{"description":"dnsSDConfigs defines a list of DNS service discovery configurations.","type":"array","items":{"description":"DNSSDConfig allows specifying a set of DNS domain names which are periodically queried to discover a list of targets.\nThe DNS servers to be contacted are read from /etc/resolv.conf.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#dns_sd_config","type":"object","required":["names"],"properties":{"names":{"description":"names defines a list of DNS domain names to be queried.","type":"array","minItems":1,"items":{"type":"string","minLength":1}},"port":{"description":"port defines the port to scrape metrics from. If using the public IP address, this must\nIgnored for SRV records","type":"integer","format":"int32","maximum":65535,"minimum":0},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"type":{"description":"type defines the type of DNS query to perform. One of SRV, A, AAAA, MX or NS.\nIf not set, Prometheus uses its default value.\n\nWhen set to NS, it requires Prometheus >= v2.49.0.\nWhen set to MX, it requires Prometheus >= v2.38.0","type":"string","enum":["A","AAAA","MX","NS","SRV"]}}}},"dockerSDConfigs":{"description":"dockerSDConfigs defines a list of Docker service discovery configurations.","type":"array","items":{"description":"Docker SD configurations allow retrieving scrape targets from Docker Engine hosts.\nThis SD discovers \"containers\" and will create a target for each network IP and\nport the container is configured to expose.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#docker_sd_config","type":"object","required":["host"],"properties":{"authorization":{"description":"authorization defines the  header configuration to authenticate against the DigitalOcean API.\nCannot be set at the same time as `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines information to use on every scrape request.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"filters":{"description":"filters defines filters to limit the discovery process to a subset of the available resources.","type":"array","items":{"description":"Filter name and value pairs to limit the discovery process to a subset of available resources.","type":"object","required":["name","values"],"properties":{"name":{"description":"name of the Filter.","type":"string"},"values":{"description":"values defines values to filter on.","type":"array","minItems":1,"items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"host":{"description":"host defines the address of the docker daemon","type":"string","minLength":1},"hostNetworkingHost":{"description":"hostNetworkingHost defines the host to use if the container is in host networking mode.","type":"string","minLength":1},"matchFirstNetwork":{"description":"matchFirstNetwork defines whether to match the first network if the container has multiple networks defined.\nIf unset, Prometheus uses true by default.\nIt requires Prometheus >= v2.54.1.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the configuration to use on every scrape request.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"port":{"description":"port defines the port to scrape metrics from. If using the public IP address, this must","type":"integer","format":"int32","maximum":65535,"minimum":0},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Consul API.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}}},"dockerSwarmSDConfigs":{"description":"dockerSwarmSDConfigs defines a list of Dockerswarm service discovery configurations.","type":"array","items":{"description":"DockerSwarmSDConfig configurations allow retrieving scrape targets from Docker Swarm engine.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#dockerswarm_sd_config","type":"object","required":["host","role"],"properties":{"authorization":{"description":"authorization defines the  header configuration to authenticate against the DigitalOcean API.\nCannot be set at the same time as `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines information to use on every scrape request.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"filters":{"description":"filters defines the filters to limit the discovery process to a subset of available\nresources.\nThe available filters are listed in the upstream documentation:\nServices: https://docs.docker.com/engine/api/v1.40/#operation/ServiceList\nTasks: https://docs.docker.com/engine/api/v1.40/#operation/TaskList\nNodes: https://docs.docker.com/engine/api/v1.40/#operation/NodeList","type":"array","items":{"description":"Filter name and value pairs to limit the discovery process to a subset of available resources.","type":"object","required":["name","values"],"properties":{"name":{"description":"name of the Filter.","type":"string"},"values":{"description":"values defines values to filter on.","type":"array","minItems":1,"items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"host":{"description":"host defines the address of the Docker daemon","type":"string","pattern":"^[a-zA-Z][a-zA-Z0-9+.-]*://.+$"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the optional OAuth 2.0 configuration to authenticate against the target HTTP endpoint.\nCannot be set at the same time as `authorization`, or `basicAuth`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"port":{"description":"port defines the port to scrape metrics from. If using the public IP address, this must\ntasks and services that don't have published ports.","type":"integer","format":"int32","maximum":65535,"minimum":0},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"role":{"description":"role of the targets to retrieve. Must be `Services`, `Tasks`, or `Nodes`.","type":"string","enum":["Services","Tasks","Nodes"]},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Consul API.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}}},"ec2SDConfigs":{"description":"ec2SDConfigs defines a list of EC2 service discovery configurations.","type":"array","items":{"description":"EC2SDConfig allow retrieving scrape targets from AWS EC2 instances.\nThe private IP address is used by default, but may be changed to the public IP address with relabeling.\nThe IAM credentials used must have the ec2:DescribeInstances permission to discover scrape targets\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#ec2_sd_config\n\nThe EC2 service discovery requires AWS API keys or role ARN for authentication.\nBasicAuth, Authorization and OAuth2 fields are not present on purpose.","type":"object","properties":{"accessKey":{"description":"accessKey defines the AWS API key.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.\nIt requires Prometheus >= v2.41.0","type":"boolean"},"filters":{"description":"filters can be used optionally to filter the instance list by other criteria.\nAvailable filter criteria can be found here:\nhttps://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html\nFilter API documentation: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Filter.html\nIt requires Prometheus >= v2.3.0","type":"array","items":{"description":"Filter name and value pairs to limit the discovery process to a subset of available resources.","type":"object","required":["name","values"],"properties":{"name":{"description":"name of the Filter.","type":"string"},"values":{"description":"values defines values to filter on.","type":"array","minItems":1,"items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.\nIt requires Prometheus >= v2.41.0","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"port":{"description":"port defines the port to scrape metrics from. If using the public IP address, this must\ninstead be specified in the relabeling rule.","type":"integer","format":"int32","maximum":65535,"minimum":0},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"region":{"description":"region defines the AWS region.","type":"string","minLength":1},"roleARN":{"description":"roleARN defines an alternative to using AWS API keys.","type":"string","minLength":1},"secretKey":{"description":"secretKey defines the AWS API secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Consul API.\nIt requires Prometheus >= v2.41.0","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}}},"enableCompression":{"description":"enableCompression when false, Prometheus will request uncompressed response from the scraped target.\n\nIt requires Prometheus >= v2.49.0.\n\nIf unset, Prometheus uses true by default.","type":"boolean"},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"eurekaSDConfigs":{"description":"eurekaSDConfigs defines a list of Eureka service discovery configurations.","type":"array","items":{"description":"Eureka SD configurations allow retrieving scrape targets using the Eureka REST API.\nPrometheus will periodically check the REST endpoint and create a target for every app instance.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#eureka_sd_config","type":"object","required":["server"],"properties":{"authorization":{"description":"authorization defines the  header configuration to authenticate against the DigitalOcean API.\nCannot be set at the same time as `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines the BasicAuth information to use on every scrape request.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the configuration to use on every scrape request.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"server":{"description":"server defines the URL to connect to the Eureka server.","type":"string","minLength":1,"pattern":"^http(s)?://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Consul API.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}}},"fallbackScrapeProtocol":{"description":"fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type.\n\nIt requires Prometheus >= v3.0.0.","type":"string","enum":["PrometheusProto","OpenMetricsText0.0.1","OpenMetricsText1.0.0","PrometheusText0.0.4","PrometheusText1.0.0"]},"fileSDConfigs":{"description":"fileSDConfigs defines a list of file service discovery configurations.","type":"array","items":{"description":"FileSDConfig defines a Prometheus file service discovery configuration\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#file_sd_config","type":"object","required":["files"],"properties":{"files":{"description":"files defines the list of files to be used for file discovery. Recommendation: use absolute paths. While relative paths work, the\nprometheus-operator project makes no guarantees about the working directory where the configuration file is\nstored.\nFiles must be mounted using Prometheus.ConfigMaps or Prometheus.Secrets.","type":"array","minItems":1,"items":{"description":"SDFile represents a file used for service discovery","type":"string","pattern":"^[^*]*(\\*[^/]*)?\\.(json|yml|yaml|JSON|YML|YAML)$"},"x-kubernetes-list-type":"set"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"}}}},"gceSDConfigs":{"description":"gceSDConfigs defines a list of GCE service discovery configurations.","type":"array","items":{"description":"GCESDConfig configures scrape targets from GCP GCE instances.\nThe private IP address is used by default, but may be changed to\nthe public IP address with relabeling.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config\n\nThe GCE service discovery will load the Google Cloud credentials\nfrom the file specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable.\nSee https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform\n\nA pre-requisite for using GCESDConfig is that a Secret containing valid\nGoogle Cloud credentials is mounted into the Prometheus or PrometheusAgent\npod via the `.spec.secrets` field and that the GOOGLE_APPLICATION_CREDENTIALS\nenvironment variable is set to /etc/prometheus/secrets/<secret-name>/<credentials-filename.json>.","type":"object","required":["project","zone"],"properties":{"filter":{"description":"filter defines the filter that can be used optionally to filter the instance list by other criteria\nSyntax of this filter is described in the filter query parameter section:\nhttps://cloud.google.com/compute/docs/reference/latest/instances/list","type":"string","minLength":1},"port":{"description":"port defines the port to scrape metrics from. If using the public IP address, this must\ninstead be specified in the relabeling rule.","type":"integer","format":"int32","maximum":65535,"minimum":0},"project":{"description":"project defines the Google Cloud Project ID","type":"string","minLength":1},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"tagSeparator":{"description":"tagSeparator defines the tag separator is used to separate the tags on concatenation","type":"string","minLength":1},"zone":{"description":"zone defines the zone of the scrape targets. If you need multiple zones use multiple GCESDConfigs.","type":"string","minLength":1}}}},"hetznerSDConfigs":{"description":"hetznerSDConfigs defines a list of Hetzner service discovery configurations.","type":"array","items":{"description":"HetznerSDConfig allow retrieving scrape targets from Hetzner Cloud API and Robot API.\nThis service discovery uses the public IPv4 address by default, but that can be changed with relabeling\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#hetzner_sd_config","type":"object","required":["role"],"properties":{"authorization":{"description":"authorization defines the  header configuration to authenticate against the DigitalOcean API.\nCannot be set at the same time as `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines information to use on every scrape request.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"labelSelector":{"description":"labelSelector defines the label selector used to filter the servers when fetching them from the API.\nIt requires Prometheus >= v3.5.0.","type":"string","minLength":1},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the configuration to use on every scrape request.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"port":{"description":"port defines the port to scrape metrics from. If using the public IP address, this must","type":"integer","format":"int32","maximum":65535,"minimum":0},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"role":{"description":"role defines the Hetzner role of entities that should be discovered.","type":"string","enum":["hcloud","Hcloud","robot","Robot"]},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Consul API.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}}},"honorLabels":{"description":"honorLabels defines when true the metric's labels when they collide\nwith the target's labels.","type":"boolean"},"honorTimestamps":{"description":"honorTimestamps defines whether Prometheus preserves the timestamps\nwhen exposed by the target.","type":"boolean"},"httpSDConfigs":{"description":"httpSDConfigs defines a list of HTTP service discovery configurations.","type":"array","items":{"description":"HTTPSDConfig defines a prometheus HTTP service discovery configuration\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#http_sd_config","type":"object","required":["url"],"properties":{"authorization":{"description":"authorization defines the authorization header configuration to authenticate against the target HTTP endpoint.\nCannot be set at the same time as `oAuth2`, or `basicAuth`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines information to use on every scrape request.\nMore info: https://prometheus.io/docs/operating/configuration/#endpoints\nCannot be set at the same time as `authorization`, or `oAuth2`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the optional OAuth 2.0 configuration to authenticate against the target HTTP endpoint.\nCannot be set at the same time as `authorization`, or `basicAuth`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration applying to the target HTTP endpoint.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"url":{"description":"url defines the URL from which the targets are fetched.","type":"string","minLength":1,"pattern":"^http(s)?://.+$"}}}},"ionosSDConfigs":{"description":"ionosSDConfigs defines a list of IONOS service discovery configurations.","type":"array","items":{"description":"IonosSDConfig configurations allow retrieving scrape targets from IONOS resources.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#ionos_sd_config","type":"object","required":["authorization","datacenterID"],"properties":{"authorization":{"description":"authorization defines the  header configuration to authenticate against the IONOS.\nCannot be set at the same time as `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"datacenterID":{"description":"datacenterID defines the unique ID of the IONOS data center.","type":"string","minLength":1},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the configuration to use on every scrape request.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"port":{"description":"port defines the port to scrape metrics from. If using the public IP address, this must","type":"integer","format":"int32","maximum":65535,"minimum":0},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Consul API.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}}},"jobName":{"description":"jobName defines the value of the `job` label assigned to the scraped metrics by default.\n\nThe `job_name` field in the rendered scrape configuration is always controlled by the\noperator to prevent duplicate job names, which Prometheus does not allow. Instead the\n`job` label is set by means of relabeling configs.","type":"string","minLength":1},"keepDroppedTargets":{"description":"keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling\nthat will be kept in memory. 0 means no limit.\n\nIt requires Prometheus >= v2.47.0.","type":"integer","format":"int64"},"kubernetesSDConfigs":{"description":"kubernetesSDConfigs defines a list of Kubernetes service discovery configurations.","type":"array","items":{"description":"KubernetesSDConfig allows retrieving scrape targets from Kubernetes' REST API.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config","type":"object","required":["role"],"properties":{"apiServer":{"description":"apiServer defines the API server address consisting of a hostname or IP address followed\nby an optional port number.\nIf left empty, Prometheus is assumed to run inside\nof the cluster. It will discover API servers automatically and use the pod's\nCA certificate and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/.","type":"string","minLength":1},"attachMetadata":{"description":"attachMetadata defines the metadata to attach to discovered targets.\nIt requires Prometheus >= v2.35.0 when using the `Pod` role and\nPrometheus >= v2.37.0 for `Endpoints` and `Endpointslice` roles.","type":"object","properties":{"node":{"description":"node attaches node metadata to discovered targets.\nWhen set to true, Prometheus must have the `get` permission on the\n`Nodes` objects.\nOnly valid for Pod, Endpoint and Endpointslice roles.","type":"boolean"}}},"authorization":{"description":"authorization defines the authorization header to use on every scrape request.\nCannot be set at the same time as `basicAuth`, or `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines information to use on every scrape request.\nCannot be set at the same time as `authorization`, or `oauth2`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"namespaces":{"description":"namespaces defines the namespace discovery. If omitted, Prometheus discovers targets across all namespaces.","type":"object","properties":{"names":{"description":"names defines a list of namespaces where to watch for resources.\nIf empty and `ownNamespace` isn't true, Prometheus watches for resources in all namespaces.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"ownNamespace":{"description":"ownNamespace includes the namespace in which the Prometheus pod runs to the list of watched namespaces.","type":"boolean"}}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the optional OAuth 2.0 configuration to authenticate against the target HTTP endpoint.\nCannot be set at the same time as `authorization`, or `basicAuth`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"role":{"description":"role defines the Kubernetes role of the entities that should be discovered.\nRole `Endpointslice` requires Prometheus >= v2.21.0","type":"string","enum":["Pod","Endpoints","Ingress","Service","Node","EndpointSlice"]},"selectors":{"description":"selectors defines the selector to select objects.\nIt requires Prometheus >= v2.17.0","type":"array","items":{"description":"K8SSelectorConfig is Kubernetes Selector Config","type":"object","required":["role"],"properties":{"field":{"description":"field defines an optional field selector to limit the service discovery to resources which have fields with specific values.\ne.g: `metadata.name=foobar`","type":"string","minLength":1},"label":{"description":"label defines an optional label selector to limit the service discovery to resources with specific labels and label values.\ne.g: `node.kubernetes.io/instance-type=master`","type":"string","minLength":1},"role":{"description":"role defines the type of Kubernetes resource to limit the service discovery to.\nAccepted values are: Node, Pod, Endpoints, EndpointSlice, Service, Ingress.","type":"string","enum":["Pod","Endpoints","Ingress","Service","Node","EndpointSlice"]}}},"x-kubernetes-list-map-keys":["role"],"x-kubernetes-list-type":"map"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Kubernetes API.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}}},"kumaSDConfigs":{"description":"kumaSDConfigs defines a list of Kuma service discovery configurations.","type":"array","items":{"description":"KumaSDConfig allow retrieving scrape targets from Kuma's control plane.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kuma_sd_config","type":"object","required":["server"],"properties":{"authorization":{"description":"authorization defines the  header configuration to authenticate against the DigitalOcean API.\nCannot be set at the same time as `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines information to use on every scrape request.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientID":{"description":"clientID is used by Kuma Control Plane to compute Monitoring Assignment for specific Prometheus backend.\nIt requires Prometheus >= v2.50.0.","type":"string","minLength":1},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"fetchTimeout":{"description":"fetchTimeout defines the time after which the monitoring assignments are refreshed.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the configuration to use on every scrape request.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"server":{"description":"server defines the address of the Kuma Control Plane's MADS xDS server.","type":"string","pattern":"^https?://.+$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Consul API.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}}},"labelLimit":{"description":"labelLimit defines the per-scrape limit on number of labels that will be accepted for a sample.\nOnly valid in Prometheus versions 2.27.0 and newer.","type":"integer","format":"int64"},"labelNameLengthLimit":{"description":"labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample.\nOnly valid in Prometheus versions 2.27.0 and newer.","type":"integer","format":"int64"},"labelValueLengthLimit":{"description":"labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample.\nOnly valid in Prometheus versions 2.27.0 and newer.","type":"integer","format":"int64"},"lightSailSDConfigs":{"description":"lightSailSDConfigs defines a list of Lightsail service discovery configurations.","type":"array","items":{"description":"LightSailSDConfig configurations allow retrieving scrape targets from AWS Lightsail instances.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#lightsail_sd_config","type":"object","properties":{"accessKey":{"description":"accessKey defines the AWS API key.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"authorization":{"description":"authorization defines the  header configuration to authenticate against the DigitalOcean API.\nCannot be set at the same time as `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines information to use on every scrape request.\nCannot be set at the same time as `authorization`, or `oauth2`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"endpoint":{"description":"endpoint defines the custom endpoint to be used.","type":"string","minLength":1},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the optional OAuth 2.0 configuration to authenticate against the target HTTP endpoint.\nCannot be set at the same time as `authorization`, or `basicAuth`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"port":{"description":"port defines the port to scrape metrics from. If using the public IP address, this must","type":"integer","format":"int32","maximum":65535,"minimum":0},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"region":{"description":"region defines the AWS region.","type":"string","minLength":1},"roleARN":{"description":"roleARN defines the AWS Role ARN, an alternative to using AWS API keys.","type":"string"},"secretKey":{"description":"secretKey defines the AWS API secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Consul API.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}}},"linodeSDConfigs":{"description":"linodeSDConfigs defines a list of Linode service discovery configurations.","type":"array","items":{"description":"LinodeSDConfig configurations allow retrieving scrape targets from Linode's Linode APIv4.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#linode_sd_config","type":"object","properties":{"authorization":{"description":"authorization defines the  header configuration to authenticate against the DigitalOcean API.\nCannot be set at the same time as `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the optional OAuth 2.0 configuration to authenticate against the target HTTP endpoint.\nCannot be set at the same time as `authorization`, or `basicAuth`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"port":{"description":"port defines the port to scrape metrics from. If using the public IP address, this must","type":"integer","format":"int32","maximum":65535,"minimum":0},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"region":{"description":"region defines the region to filter on.","type":"string","minLength":1},"tagSeparator":{"description":"tagSeparator defines the string by which Linode Instance tags are joined into the tag label.el.","type":"string","minLength":1},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Consul API.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}}},"metricRelabelings":{"description":"metricRelabelings defines the metricRelabelings to apply to samples before ingestion.","type":"array","minItems":1,"items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"metricsPath":{"description":"metricsPath defines the HTTP path to scrape for metrics. If empty, Prometheus uses the default value (e.g. /metrics).","type":"string","minLength":1},"nameEscapingScheme":{"description":"nameEscapingScheme defines the metric name escaping mode to request through content negotiation.\n\nIt requires Prometheus >= v3.4.0.","type":"string","enum":["AllowUTF8","Underscores","Dots","Values"]},"nameValidationScheme":{"description":"nameValidationScheme defines the validation scheme for metric and label names.\n\nIt requires Prometheus >= v3.0.0.","type":"string","enum":["UTF8","Legacy"]},"nativeHistogramBucketLimit":{"description":"nativeHistogramBucketLimit defines ff there are more than this many buckets in a native histogram,\nbuckets will be merged to stay within the limit.\nIt requires Prometheus >= v2.45.0.","type":"integer","format":"int64"},"nativeHistogramMinBucketFactor":{"description":"nativeHistogramMinBucketFactor defines if the growth factor of one bucket to the next is smaller than this,\nbuckets will be merged to increase the factor sufficiently.\nIt requires Prometheus >= v2.50.0.","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"nomadSDConfigs":{"description":"nomadSDConfigs defines a list of Nomad service discovery configurations.","type":"array","items":{"description":"NomadSDConfig configurations allow retrieving scrape targets from Nomad's Service API.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#nomad_sd_config","type":"object","required":["server"],"properties":{"allowStale":{"description":"allowStale defines the information to access the Nomad API. It is to be defined\nas the Nomad documentation requires.","type":"boolean"},"authorization":{"description":"authorization defines the  header configuration to authenticate against the DigitalOcean API.\nCannot be set at the same time as `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines information to use on every scrape request.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"namespace":{"description":"namespace defines the Nomad namespace to query for service discovery.\nWhen specified, only resources within this namespace will be discovered.","type":"string"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the configuration to use on every scrape request.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"region":{"description":"region defines the Nomad region to query for service discovery.\nWhen specified, only resources within this region will be discovered.","type":"string"},"server":{"description":"server defines the Nomad server address to connect to for service discovery.\nThis should be the full URL including protocol (e.g., \"https://nomad.example.com:4646\").","type":"string","minLength":1},"tagSeparator":{"description":"tagSeparator defines the separator used to join multiple tags.\nThis determines how Nomad service tags are concatenated into Prometheus labels.","type":"string"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Consul API.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}}}}},"oauth2":{"description":"oauth2 defines the configuration to use on every scrape request.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"openstackSDConfigs":{"description":"openstackSDConfigs defines a list of OpenStack service discovery configurations.","type":"array","items":{"description":"OpenStackSDConfig allow retrieving scrape targets from OpenStack Nova instances.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#openstack_sd_config","type":"object","required":["region","role"],"properties":{"allTenants":{"description":"allTenants defines whether the service discovery should list all instances for all projects.\nIt is only relevant for the 'instance' role and usually requires admin permissions.","type":"boolean"},"applicationCredentialId":{"description":"applicationCredentialId defines the OpenStack applicationCredentialId.","type":"string"},"applicationCredentialName":{"description":"applicationCredentialName defines the ApplicationCredentialID or ApplicationCredentialName fields are\nrequired if using an application credential to authenticate. Some providers\nallow you to create an application credential to authenticate rather than a\npassword.","type":"string","minLength":1},"applicationCredentialSecret":{"description":"applicationCredentialSecret defines the required field if using an application\ncredential to authenticate.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"availability":{"description":"availability defines the availability of the endpoint to connect to.","type":"string","enum":["Public","public","Admin","admin","Internal","internal"]},"domainID":{"description":"domainID defines The OpenStack domainID.","type":"string","minLength":1},"domainName":{"description":"domainName defines at most one of domainId and domainName that must be provided if using username\nwith Identity V3. Otherwise, either are optional.","type":"string","minLength":1},"identityEndpoint":{"description":"identityEndpoint defines the HTTP endpoint that is required to work with\nthe Identity API of the appropriate version.","type":"string","pattern":"^http(s)?:\\/\\/.+$"},"password":{"description":"password defines the password for the Identity V2 and V3 APIs. Consult with your provider's\ncontrol panel to discover your account's preferred method of authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"port":{"description":"port defines the port to scrape metrics from. If using the public IP address, this must\ninstead be specified in the relabeling rule.","type":"integer","format":"int32","maximum":65535,"minimum":0},"projectID":{"description":"projectID defines the OpenStack projectID.","type":"string","minLength":1},"projectName":{"description":"projectName defines an optional field for the Identity V2 API.\nSome providers allow you to specify a ProjectName instead of the ProjectId.\nSome require both. Your provider's authentication policies will determine\nhow these fields influence authentication.","type":"string","minLength":1},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"region":{"description":"region defines the OpenStack Region.","type":"string","minLength":1},"role":{"description":"role defines the OpenStack role of entities that should be discovered.\n\nNote: The `LoadBalancer` role requires Prometheus >= v3.2.0.","type":"string","enum":["Instance","Hypervisor","LoadBalancer"]},"tlsConfig":{"description":"tlsConfig defines the TLS configuration applying to the target HTTP endpoint.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"userid":{"description":"userid defines the OpenStack userid.","type":"string","minLength":1},"username":{"description":"username defines the username required if using Identity V2 API. Consult with your provider's\ncontrol panel to discover your account's username.\nIn Identity V3, either userid or a combination of username\nand domainId or domainName are needed","type":"string","minLength":1}}}},"ovhcloudSDConfigs":{"description":"ovhcloudSDConfigs defines a list of OVHcloud service discovery configurations.","type":"array","items":{"description":"OVHCloudSDConfig configurations allow retrieving scrape targets from OVHcloud's dedicated servers and VPS using their API.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#ovhcloud_sd_config","type":"object","required":["applicationKey","applicationSecret","consumerKey","service"],"properties":{"applicationKey":{"description":"applicationKey defines the access key to use for OVHCloud API authentication.\nThis is obtained from the OVHCloud API credentials at https://api.ovh.com.","type":"string","minLength":1},"applicationSecret":{"description":"applicationSecret defines the secret key for OVHCloud API authentication.\nThis contains the application secret obtained during OVHCloud API credential creation.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"consumerKey":{"description":"consumerKey defines the consumer key for OVHCloud API authentication.\nThis is the third component of OVHCloud's three-key authentication system.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpoint":{"description":"endpoint defines a custom API endpoint to be used.\nWhen not specified, defaults to the standard OVHCloud API endpoint for the region.","type":"string","minLength":1},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"service":{"description":"service defines the service type of the targets to retrieve.\nMust be either `VPS` or `DedicatedServer` to specify which OVHCloud resources to discover.","type":"string","enum":["VPS","DedicatedServer"]}}}},"params":{"description":"params defines optional HTTP URL parameters","type":"object","additionalProperties":{"type":"array","items":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"puppetDBSDConfigs":{"description":"puppetDBSDConfigs defines a list of PuppetDB service discovery configurations.","type":"array","items":{"description":"PuppetDBSDConfig configurations allow retrieving scrape targets from PuppetDB resources.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#puppetdb_sd_config","type":"object","required":["query","url"],"properties":{"authorization":{"description":"authorization defines the  header configuration to authenticate against the DigitalOcean API.\nCannot be set at the same time as `oauth2`.","type":"object","properties":{"credentials":{"description":"credentials defines a key of a Secret in the namespace that contains the credentials for authentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"type":{"description":"type defines the authentication type. The value is case-insensitive.\n\n\"Basic\" is not a supported value.\n\nDefault: \"Bearer\"","type":"string"}}},"basicAuth":{"description":"basicAuth defines information to use on every scrape request.\nCannot be set at the same time as `authorization`, or `oauth2`.","type":"object","properties":{"password":{"description":"password defines a key of a Secret containing the password for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"username":{"description":"username defines a key of a Secret containing the username for\nauthentication.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"includeParameters":{"description":"includeParameters defines whether to include the parameters as meta labels.\nNote: Enabling this exposes parameters in the Prometheus UI and API. Make sure\nthat you don't have secrets exposed as parameters if you enable this.","type":"boolean"},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"oauth2":{"description":"oauth2 defines the optional OAuth 2.0 configuration to authenticate against the target HTTP endpoint.\nCannot be set at the same time as `authorization`, or `basicAuth`.","type":"object","required":["clientId","clientSecret","tokenUrl"],"properties":{"clientId":{"description":"clientId defines a key of a Secret or ConfigMap containing the\nOAuth2 client's ID.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"clientSecret":{"description":"clientSecret defines a key of a Secret containing the OAuth2\nclient's secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"endpointParams":{"description":"endpointParams configures the HTTP parameters to append to the token\nURL.","type":"object","additionalProperties":{"type":"string"}},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"scopes":{"description":"scopes defines the OAuth2 scopes used for the token request.","type":"array","items":{"type":"string"}},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server.\nIt requires Prometheus >= v2.43.0.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"tokenUrl":{"description":"tokenUrl defines the URL to fetch the token from.","type":"string","minLength":1}}},"port":{"description":"port defines the port to scrape metrics from. If using the public IP address, this must","type":"integer","format":"int32","maximum":65535,"minimum":0},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"query":{"description":"query defines the Puppet Query Language (PQL) query. Only resources are supported.\nhttps://puppet.com/docs/puppetdb/latest/api/query/v4/pql.html","type":"string","minLength":1},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Consul API.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"url":{"description":"url defines the URL of the PuppetDB root query endpoint.","type":"string","minLength":1,"pattern":"^http(s)?://.+$"}}}},"relabelings":{"description":"relabelings defines how to rewrite the target's labels before scraping.\nPrometheus Operator automatically adds relabelings for a few standard Kubernetes fields.\nThe original scrape job's name is available via the `__tmp_prometheus_job_name` label.\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"array","minItems":1,"items":{"description":"RelabelConfig allows dynamic rewriting of the label set for targets, alerts,\nscraped samples and remote write samples.\n\nMore info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config","type":"object","properties":{"action":{"description":"action to perform based on the regex matching.\n\n`Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.\n`DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.\n\nDefault: \"Replace\"","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase","keepequal","KeepEqual","dropequal","DropEqual"]},"modulus":{"description":"modulus to take of the hash of the source label values.\n\nOnly applicable when the action is `HashMod`.","type":"integer","format":"int64"},"regex":{"description":"regex defines the regular expression against which the extracted value is matched.","type":"string"},"replacement":{"description":"replacement value against which a Replace action is performed if the\nregular expression matches.\n\nRegex capture groups are available.","type":"string"},"separator":{"description":"separator defines the string between concatenated SourceLabels.","type":"string"},"sourceLabels":{"description":"sourceLabels defines the source labels select values from existing labels. Their content is\nconcatenated using the configured Separator and matched against the\nconfigured regular expression.","type":"array","items":{"description":"LabelName is a valid Prometheus label name.\nFor Prometheus 3.x, a label name is valid if it contains UTF-8 characters.\nFor Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores.","type":"string"}},"targetLabel":{"description":"targetLabel defines the label to which the resulting string is written in a replacement.\n\nIt is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,\n`KeepEqual` and `DropEqual` actions.\n\nRegex capture groups are available.","type":"string"}}}},"sampleLimit":{"description":"sampleLimit defines per-scrape limit on number of scraped samples that will be accepted.","type":"integer","format":"int64"},"scalewaySDConfigs":{"description":"scalewaySDConfigs defines a list of Scaleway instances and baremetal service discovery configurations.","type":"array","items":{"description":"ScalewaySDConfig configurations allow retrieving scrape targets from Scaleway instances and baremetal services.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scaleway_sd_config","type":"object","required":["accessKey","projectID","role","secretKey"],"properties":{"accessKey":{"description":"accessKey defines the access key to use. https://console.scaleway.com/project/credentials","type":"string","minLength":1},"apiURL":{"description":"apiURL defines the API URL to use when doing the server listing requests.","type":"string","pattern":"^http(s)?://.+$"},"enableHTTP2":{"description":"enableHTTP2 defines whether to enable HTTP2.","type":"boolean"},"followRedirects":{"description":"followRedirects defines whether HTTP requests follow HTTP 3xx redirects.","type":"boolean"},"nameFilter":{"description":"nameFilter defines a name filter (works as a LIKE) to apply on the server listing request.","type":"string","minLength":1},"noProxy":{"description":"noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names\nthat should be excluded from proxying. IP and domain names can\ncontain port numbers.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"string"},"port":{"description":"port defines the port to scrape metrics from. If using the public IP address, this must","type":"integer","format":"int32","maximum":65535,"minimum":0},"projectID":{"description":"projectID defines the Project ID of the targets.","type":"string","minLength":1},"proxyConnectHeader":{"description":"proxyConnectHeader optionally specifies headers to send to\nproxies during CONNECT requests.\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"object","additionalProperties":{"type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"proxyFromEnvironment":{"description":"proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).\n\nIt requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.","type":"boolean"},"proxyUrl":{"description":"proxyUrl defines the HTTP proxy server to use.","type":"string","pattern":"^(http|https|socks5)://.+$"},"refreshInterval":{"description":"refreshInterval defines the time after which the provided names are refreshed.\nIf not set, Prometheus uses its default value.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"role":{"description":"role defines the service of the targets to retrieve. Must be `Instance` or `Baremetal`.","type":"string","enum":["Instance","Baremetal"]},"secretKey":{"description":"secretKey defines the secret key to use when listing targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"tagsFilter":{"description":"tagsFilter defines a tag filter (a server needs to have all defined tags to be listed) to apply on the server listing request.","type":"array","minItems":1,"items":{"type":"string","minLength":1},"x-kubernetes-list-type":"set"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to connect to the Consul API.","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"zone":{"description":"zone defines the availability zone of your targets (e.g. fr-par-1).","type":"string","minLength":1}}}},"scheme":{"description":"scheme defines the protocol scheme used for requests.","type":"string","enum":["http","https","HTTP","HTTPS"]},"scrapeClass":{"description":"scrapeClass defines the scrape class to apply.","type":"string","minLength":1},"scrapeClassicHistograms":{"description":"scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram.\nIt requires Prometheus >= v2.45.0.\n\nNotice: `scrapeClassicHistograms` corresponds to the `always_scrape_classic_histograms` field in the Prometheus configuration.","type":"boolean"},"scrapeInterval":{"description":"scrapeInterval defines the interval between consecutive scrapes.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"scrapeNativeHistograms":{"description":"scrapeNativeHistograms defines whether to enable scraping of native histograms.\nIt requires Prometheus >= v3.8.0.","type":"boolean"},"scrapeProtocols":{"description":"scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the\nprotocols supported by Prometheus in order of preference (from most to least preferred).\n\nIf unset, Prometheus uses its default value.\n\nIt requires Prometheus >= v2.49.0.","type":"array","minItems":1,"items":{"description":"ScrapeProtocol represents a protocol used by Prometheus for scraping metrics.\nSupported values are:\n* `OpenMetricsText0.0.1`\n* `OpenMetricsText1.0.0`\n* `PrometheusProto`\n* `PrometheusText0.0.4`\n* `PrometheusText1.0.0`","type":"string","enum":["PrometheusProto","OpenMetricsText0.0.1","OpenMetricsText1.0.0","PrometheusText0.0.4","PrometheusText1.0.0"]},"x-kubernetes-list-type":"set"},"scrapeTimeout":{"description":"scrapeTimeout defines the number of seconds to wait until a scrape request times out.\nThe value cannot be greater than the scrape interval otherwise the operator will reject the resource.","type":"string","pattern":"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"},"staticConfigs":{"description":"staticConfigs defines a list of static targets with a common label set.","type":"array","items":{"description":"StaticConfig defines a Prometheus static configuration.\nSee https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config","type":"object","required":["targets"],"properties":{"labels":{"description":"labels defines labels assigned to all metrics scraped from the targets.","type":"object","additionalProperties":{"type":"string"},"x-kubernetes-map-type":"atomic"},"targets":{"description":"targets defines the list of targets for this static configuration.","type":"array","minItems":1,"items":{"description":"Target represents a target for Prometheus to scrape\nkubebuilder:validation:MinLength:=1","type":"string"},"x-kubernetes-list-type":"set"}}}},"targetLimit":{"description":"targetLimit defines a limit on the number of scraped targets that will be accepted.","type":"integer","format":"int64"},"tlsConfig":{"description":"tlsConfig defines the TLS configuration to use on every scrape request","type":"object","properties":{"ca":{"description":"ca defines the Certificate authority used when verifying server certificates.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"cert":{"description":"cert defines the Client certificate to present when doing client-authentication.","type":"object","properties":{"configMap":{"description":"configMap defines the ConfigMap containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"secret":{"description":"secret defines the Secret containing data to use for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"insecureSkipVerify":{"description":"insecureSkipVerify defines how to disable target certificate validation.","type":"boolean"},"keySecret":{"description":"keySecret defines the Secret containing the client key file for the targets.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"maxVersion":{"description":"maxVersion defines the maximum acceptable TLS version.\n\nIt requires Prometheus >= v2.41.0 or Thanos >= v0.31.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"minVersion":{"description":"minVersion defines the minimum acceptable TLS version.\n\nIt requires Prometheus >= v2.35.0 or Thanos >= v0.28.0.","type":"string","enum":["TLS10","TLS11","TLS12","TLS13"]},"serverName":{"description":"serverName is used to verify the hostname for the targets.","type":"string"}}},"trackTimestampsStaleness":{"description":"trackTimestampsStaleness defines whether Prometheus tracks staleness of\nthe metrics that have an explicit timestamp present in scraped data.\nHas no effect if `honorTimestamps` is false.\nIt requires Prometheus >= v2.48.0.","type":"boolean"}}},"status":{"description":"status defines the status subresource. It is under active development and is updated only when the\n\"StatusForConfigurationResources\" feature gate is enabled.\n\nMost recent observed status of the ScrapeConfig. Read-only.\nMore info:\nhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"bindings":{"description":"bindings defines the list of workload resources (Prometheus, PrometheusAgent, ThanosRuler or Alertmanager) which select the configuration resource.","type":"array","items":{"description":"WorkloadBinding is a link between a configuration resource and a workload resource.","type":"object","required":["group","name","namespace","resource"],"properties":{"conditions":{"description":"conditions defines the current state of the configuration resource when bound to the referenced Workload object.","type":"array","items":{"description":"ConfigResourceCondition describes the status of configuration resources linked to Prometheus, PrometheusAgent, Alertmanager or ThanosRuler.","type":"object","required":["lastTransitionTime","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime defines the time of the last update to the current status property.","type":"string","format":"date-time"},"message":{"description":"message defines the human-readable message indicating details for the condition's last transition.","type":"string"},"observedGeneration":{"description":"observedGeneration defines the .metadata.generation that the\ncondition was set based upon. For instance, if `.metadata.generation` is\ncurrently 12, but the `.status.conditions[].observedGeneration` is 9, the\ncondition is out of date with respect to the current state of the object.","type":"integer","format":"int64"},"reason":{"description":"reason for the condition's last transition.","type":"string"},"status":{"description":"status of the condition.","type":"string","minLength":1},"type":{"description":"type of the condition being reported.\nCurrently, only \"Accepted\" is supported.","type":"string","minLength":1,"enum":["Accepted"]}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"group":{"description":"group defines the group of the referenced resource.","type":"string","enum":["monitoring.coreos.com"]},"name":{"description":"name defines the name of the referenced object.","type":"string","minLength":1},"namespace":{"description":"namespace defines the namespace of the referenced object.","type":"string","minLength":1},"resource":{"description":"resource defines the type of resource being referenced (e.g. Prometheus, PrometheusAgent, ThanosRuler or Alertmanager).","type":"string","enum":["prometheuses","prometheusagents","thanosrulers","alertmanagers"]}}},"x-kubernetes-list-map-keys":["group","resource","name","namespace"],"x-kubernetes-list-type":"map"}}}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"ScrapeConfig","version":"v1alpha1"}],"title":"com.coreos.monitoring.v1alpha1.ScrapeConfig"},"com.coreos.monitoring.v1alpha1.ScrapeConfigList":{"description":"ScrapeConfigList is a list of ScrapeConfig","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of scrapeconfigs. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.coreos.monitoring.v1alpha1.ScrapeConfig"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"monitoring.coreos.com","kind":"ScrapeConfigList","version":"v1alpha1"}],"title":"com.coreos.monitoring.v1alpha1.ScrapeConfigList"},"com.grafana.monitoring.v1alpha2.PodLogs":{"description":"PodLogs defines how to collect logs for a Pod.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"PodLogsSpec defines how to collect logs for a Pod.","type":"object","required":["selector"],"properties":{"namespaceSelector":{"description":"Selector to select which namespaces the Pod objects are discovered from.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"relabelings":{"description":"RelabelConfigs to apply to logs before delivering.","type":"array","items":{"description":"RelabelConfig allows dynamic rewriting of the label set, being applied to samples before ingestion. It defines `<metric_relabel_configs>`-section of Prometheus configuration. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs","type":"object","properties":{"action":{"description":"Action to perform based on regex matching. Default is 'replace'. uppercase and lowercase actions require Prometheus >= 2.36.","type":"string","enum":["replace","Replace","keep","Keep","drop","Drop","hashmod","HashMod","labelmap","LabelMap","labeldrop","LabelDrop","labelkeep","LabelKeep","lowercase","Lowercase","uppercase","Uppercase"]},"modulus":{"description":"Modulus to take of the hash of the source label values.","type":"integer","format":"int64"},"regex":{"description":"Regular expression against which the extracted value is matched. Default is '(.*)'","type":"string"},"replacement":{"description":"Replacement value against which a regex replace is performed if the regular expression matches. Regex capture groups are available. Default is '$1'","type":"string"},"separator":{"description":"Separator placed between concatenated source label values. default is ';'.","type":"string"},"sourceLabels":{"description":"The source labels select values from existing labels. Their content is concatenated using the configured separator and matched against the configured regular expression for the replace, keep, and drop actions.","type":"array","items":{"description":"LabelName is a valid Prometheus label name which may only contain ASCII letters, numbers, as well as underscores.","type":"string","pattern":"^[a-zA-Z_][a-zA-Z0-9_]*$"}},"targetLabel":{"description":"Label to which the resulting value is written in a replace action. It is mandatory for replace actions. Regex capture groups are available.","type":"string"}}}},"selector":{"description":"Selector to select Pod objects. Required.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}}},"x-kubernetes-group-version-kind":[{"group":"monitoring.grafana.com","kind":"PodLogs","version":"v1alpha2"}],"title":"com.grafana.monitoring.v1alpha2.PodLogs"},"com.grafana.monitoring.v1alpha2.PodLogsList":{"description":"PodLogsList is a list of PodLogs","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of podlogs. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.grafana.monitoring.v1alpha2.PodLogs"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"monitoring.grafana.com","kind":"PodLogsList","version":"v1alpha2"}],"title":"com.grafana.monitoring.v1alpha2.PodLogsList"},"com.grafana.rollout-operator.v1.ReplicaTemplate":{"type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","properties":{"labelSelector":{"type":"string"},"replicas":{"type":"integer","minimum":0}}},"status":{"type":"object","properties":{"replicas":{"type":"integer"}}}},"x-kubernetes-group-version-kind":[{"group":"rollout-operator.grafana.com","kind":"ReplicaTemplate","version":"v1"}],"title":"com.grafana.rollout-operator.v1.ReplicaTemplate"},"com.grafana.rollout-operator.v1.ReplicaTemplateList":{"description":"ReplicaTemplateList is a list of ReplicaTemplate","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of replicatemplates. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.grafana.rollout-operator.v1.ReplicaTemplate"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rollout-operator.grafana.com","kind":"ReplicaTemplateList","version":"v1"}],"title":"com.grafana.rollout-operator.v1.ReplicaTemplateList"},"com.grafana.rollout-operator.v1.ZoneAwarePodDisruptionBudget":{"type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["selector"],"properties":{"maxUnavailable":{"description":"The number of pods that can be unavailable within a zone or partition.","type":"integer","minimum":0},"maxUnavailablePercentage":{"description":"Calculate the maxUnavailable value as a percentage of the StatefulSet's spec.Replica count. This option is not supported when using podNamePartitionRegex.","type":"integer","maximum":100,"minimum":0},"podNamePartitionRegex":{"description":"A regular expression for returning a partition name given a pod name. This field is optional and should only be used when the ZoneAwarePodDisruptionBudget is to be scoped to a partition, such as a multi-zone ingester deployment with ingest_storage_enabled. Enabling this changes the ZPDB functionality such that minAvailability is applied across ALL zones for a given partition. When not enabled, the minAvailability is applied to pods within the eviction zone assuming there are no disruptions in the other zones.","type":"string"},"podNameRegexGroup":{"description":"The regular expression group number that contains the partition name. This field is only required when the podNamePartitionRegex field is set and has more then one subexpression grouping. The default value is 1.","type":"integer","minimum":1},"selector":{"description":"A selector for finding pods and statefulsets that this ZoneAwarePodDisruptionBudget applies to.","type":"object","required":["matchLabels"],"properties":{"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"rollout-operator.grafana.com","kind":"ZoneAwarePodDisruptionBudget","version":"v1"}],"title":"com.grafana.rollout-operator.v1.ZoneAwarePodDisruptionBudget"},"com.grafana.rollout-operator.v1.ZoneAwarePodDisruptionBudgetList":{"description":"ZoneAwarePodDisruptionBudgetList is a list of ZoneAwarePodDisruptionBudget","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of zoneawarepoddisruptionbudgets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.grafana.rollout-operator.v1.ZoneAwarePodDisruptionBudget"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rollout-operator.grafana.com","kind":"ZoneAwarePodDisruptionBudgetList","version":"v1"}],"title":"com.grafana.rollout-operator.v1.ZoneAwarePodDisruptionBudgetList"},"com.mongodb.mongodbcommunity.v1.MongoDBCommunity":{"description":"MongoDBCommunity is the Schema for the mongodbs API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"MongoDBCommunitySpec defines the desired state of MongoDB","type":"object","required":["security","type","users"],"properties":{"additionalConnectionStringConfig":{"description":"Additional options to be appended to the connection string. These options apply to the entire resource and to each user.","x-kubernetes-preserve-unknown-fields":true},"additionalMongodConfig":{"description":"AdditionalMongodConfig is additional configuration that can be passed to\neach data-bearing mongod at runtime. Uses the same structure as the mongod\nconfiguration file: https://www.mongodb.com/docs/manual/reference/configuration-options/","x-kubernetes-preserve-unknown-fields":true},"agent":{"description":"AgentConfiguration sets options for the MongoDB automation agent","type":"object","properties":{"auditLogRotate":{"description":"AuditLogRotate if enabled, will enable AuditLogRotate for all processes.","type":"object","required":["sizeThresholdMB","timeThresholdHrs"],"properties":{"includeAuditLogsWithMongoDBLogs":{"description":"set to 'true' to have the Automation Agent rotate the audit files along\nwith mongodb log files","type":"boolean"},"numTotal":{"description":"maximum number of log files to have total","type":"integer"},"numUncompressed":{"description":"maximum number of log files to leave uncompressed","type":"integer"},"percentOfDiskspace":{"description":"Maximum percentage of the total disk space these log files should take up.\nThe string needs to be able to be converted to float64","type":"string"},"sizeThresholdMB":{"description":"Maximum size for an individual log file before rotation.\nThe string needs to be able to be converted to float64.\nFractional values of MB are supported.","type":"string"},"timeThresholdHrs":{"description":"maximum hours for an individual log file before rotation","type":"integer"}}},"logFile":{"type":"string"},"logLevel":{"type":"string"},"logRotate":{"description":"LogRotate if enabled, will enable LogRotate for all processes.","type":"object","required":["sizeThresholdMB","timeThresholdHrs"],"properties":{"includeAuditLogsWithMongoDBLogs":{"description":"set to 'true' to have the Automation Agent rotate the audit files along\nwith mongodb log files","type":"boolean"},"numTotal":{"description":"maximum number of log files to have total","type":"integer"},"numUncompressed":{"description":"maximum number of log files to leave uncompressed","type":"integer"},"percentOfDiskspace":{"description":"Maximum percentage of the total disk space these log files should take up.\nThe string needs to be able to be converted to float64","type":"string"},"sizeThresholdMB":{"description":"Maximum size for an individual log file before rotation.\nThe string needs to be able to be converted to float64.\nFractional values of MB are supported.","type":"string"},"timeThresholdHrs":{"description":"maximum hours for an individual log file before rotation","type":"integer"}}},"maxLogFileDurationHours":{"type":"integer"},"systemLog":{"description":"SystemLog configures system log of mongod","type":"object","required":["destination","logAppend","path"],"properties":{"destination":{"type":"string"},"logAppend":{"type":"boolean"},"path":{"type":"string"}}}}},"arbiters":{"description":"Arbiters is the number of arbiters to add to the Replica Set.\nIt is not recommended to have more than one arbiter per Replica Set.\nMore info: https://www.mongodb.com/docs/manual/tutorial/add-replica-set-arbiter/","type":"integer"},"automationConfig":{"description":"AutomationConfigOverride is merged on top of the operator created automation config. Processes are merged\nby name. Currently Only the process.disabled field is supported.","type":"object","properties":{"processes":{"type":"array","items":{"description":"OverrideProcess contains fields that we can override on the AutomationConfig processes.","type":"object","required":["disabled","name"],"properties":{"disabled":{"type":"boolean"},"logRotate":{"description":"CrdLogRotate is the crd definition of LogRotate including fields in strings while the agent supports them as float64","type":"object","required":["sizeThresholdMB","timeThresholdHrs"],"properties":{"includeAuditLogsWithMongoDBLogs":{"description":"set to 'true' to have the Automation Agent rotate the audit files along\nwith mongodb log files","type":"boolean"},"numTotal":{"description":"maximum number of log files to have total","type":"integer"},"numUncompressed":{"description":"maximum number of log files to leave uncompressed","type":"integer"},"percentOfDiskspace":{"description":"Maximum percentage of the total disk space these log files should take up.\nThe string needs to be able to be converted to float64","type":"string"},"sizeThresholdMB":{"description":"Maximum size for an individual log file before rotation.\nThe string needs to be able to be converted to float64.\nFractional values of MB are supported.","type":"string"},"timeThresholdHrs":{"description":"maximum hours for an individual log file before rotation","type":"integer"}}},"name":{"type":"string"}}}},"replicaSet":{"type":"object","properties":{"id":{"description":"Id can be used together with additionalMongodConfig.replication.replSetName\nto manage clusters where replSetName differs from the MongoDBCommunity resource name","type":"string"},"settings":{"description":"MapWrapper is a wrapper for a map to be used by other structs.\nThe CRD generator does not support map[string]interface{}\non the top level and hence we need to work around this with\na wrapping struct.","x-kubernetes-preserve-unknown-fields":true}}}}},"featureCompatibilityVersion":{"description":"FeatureCompatibilityVersion configures the feature compatibility version that will\nbe set for the deployment","type":"string"},"memberConfig":{"description":"MemberConfig","type":"array","items":{"type":"object","properties":{"priority":{"type":"string"},"tags":{"type":"object","additionalProperties":{"type":"string"}},"votes":{"type":"integer"}}}},"members":{"description":"Members is the number of members in the replica set","type":"integer"},"prometheus":{"description":"Prometheus configurations.","type":"object","required":["passwordSecretRef","username"],"properties":{"metricsPath":{"description":"Indicates path to the metrics endpoint.","type":"string","pattern":"^\\/[a-z0-9]+$"},"passwordSecretRef":{"description":"Name of a Secret containing a HTTP Basic Auth Password.","type":"object","required":["name"],"properties":{"key":{"description":"Key is the key in the secret storing this password. Defaults to \"password\"","type":"string"},"name":{"description":"Name is the name of the secret storing this user's password","type":"string"}}},"port":{"description":"Port where metrics endpoint will bind to. Defaults to 9216.","type":"integer"},"tlsSecretKeyRef":{"description":"Name of a Secret (type kubernetes.io/tls) holding the certificates to use in the\nPrometheus endpoint.","type":"object","required":["name"],"properties":{"key":{"description":"Key is the key in the secret storing this password. Defaults to \"password\"","type":"string"},"name":{"description":"Name is the name of the secret storing this user's password","type":"string"}}},"username":{"description":"HTTP Basic Auth Username for metrics endpoint.","type":"string"}}},"replicaSetHorizons":{"description":"ReplicaSetHorizons Add this parameter and values if you need your database\nto be accessed outside of Kubernetes. This setting allows you to\nprovide different DNS settings within the Kubernetes cluster and\nto the Kubernetes cluster. The Kubernetes Operator uses split horizon\nDNS for replica set members. This feature allows communication both\nwithin the Kubernetes cluster and from outside Kubernetes.","type":"array","items":{"type":"object","additionalProperties":{"type":"string"}}},"security":{"description":"Security configures security features, such as TLS, and authentication settings for a deployment","type":"object","properties":{"authentication":{"type":"object","required":["modes"],"properties":{"agentCertificateSecretRef":{"description":"AgentCertificateSecret is a reference to a Secret containing the certificate and the key for the automation agent\nThe secret needs to have available:\n- certificate under key: \"tls.crt\"\n- private key under key: \"tls.key\"\nIf additionally, tls.pem is present, then it needs to be equal to the concatenation of tls.crt and tls.key","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"agentMode":{"description":"AgentMode contains the authentication mode used by the automation agent.","type":"string","enum":["SCRAM","SCRAM-SHA-256","SCRAM-SHA-1","X509"]},"ignoreUnknownUsers":{},"modes":{"description":"Modes is an array specifying which authentication methods should be enabled.","type":"array","items":{"type":"string","enum":["SCRAM","SCRAM-SHA-256","SCRAM-SHA-1","X509"]}}}},"roles":{"description":"User-specified custom MongoDB roles that should be configured in the deployment.","type":"array","items":{"description":"CustomRole defines a custom MongoDB role.","type":"object","required":["db","privileges","role"],"properties":{"authenticationRestrictions":{"description":"The authentication restrictions the server enforces on the role.","type":"array","items":{"description":"AuthenticationRestriction specifies a list of IP addresses and CIDR ranges users\nare allowed to connect to or from.","type":"object","required":["clientSource","serverAddress"],"properties":{"clientSource":{"type":"array","items":{"type":"string"}},"serverAddress":{"type":"array","items":{"type":"string"}}}}},"db":{"description":"The database of the role.","type":"string"},"privileges":{"description":"The privileges to grant the role.","type":"array","items":{"description":"Privilege defines the actions a role is allowed to perform on a given resource.","type":"object","required":["actions","resource"],"properties":{"actions":{"type":"array","items":{"type":"string"}},"resource":{"description":"Resource specifies specifies the resources upon which a privilege permits actions.\nSee https://www.mongodb.com/docs/manual/reference/resource-document for more.","type":"object","properties":{"anyResource":{"type":"boolean"},"cluster":{"type":"boolean"},"collection":{"type":"string"},"db":{"type":"string"}}}}}},"role":{"description":"The name of the role.","type":"string"},"roles":{"description":"An array of roles from which this role inherits privileges.","type":"array","items":{"description":"Role is the database role this user should have","type":"object","required":["db","name"],"properties":{"db":{"description":"DB is the database the role can act on","type":"string"},"name":{"description":"Name is the name of the role","type":"string"}}}}}}},"tls":{"description":"TLS configuration for both client-server and server-server communication","type":"object","required":["enabled"],"properties":{"caCertificateSecretRef":{"description":"CaCertificateSecret is a reference to a Secret containing the certificate for the CA which signed the server certificates\nThe certificate is expected to be available under the key \"ca.crt\"","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"caConfigMapRef":{"description":"CaConfigMap is a reference to a ConfigMap containing the certificate for the CA which signed the server certificates\nThe certificate is expected to be available under the key \"ca.crt\"\nThis field is ignored when CaCertificateSecretRef is configured","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"certificateKeySecretRef":{"description":"CertificateKeySecret is a reference to a Secret containing a private key and certificate to use for TLS.\nThe key and cert are expected to be PEM encoded and available at \"tls.key\" and \"tls.crt\".\nThis is the same format used for the standard \"kubernetes.io/tls\" Secret type, but no specific type is required.\nAlternatively, an entry tls.pem, containing the concatenation of cert and key, can be provided.\nIf all of tls.pem, tls.crt and tls.key are present, the tls.pem one needs to be equal to the concatenation of tls.crt and tls.key","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"enabled":{"type":"boolean"},"optional":{"description":"Optional configures if TLS should be required or optional for connections","type":"boolean"}}}}},"statefulSet":{"description":"StatefulSetConfiguration holds the optional custom StatefulSet\nthat should be merged into the operator created one.","type":"object","required":["spec"],"properties":{"metadata":{"description":"StatefulSetMetadataWrapper is a wrapper around Labels and Annotations","type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"spec":{"x-kubernetes-preserve-unknown-fields":true}}},"type":{"description":"Type defines which type of MongoDB deployment the resource should create","type":"string","enum":["ReplicaSet"]},"users":{"description":"Users specifies the MongoDB users that should be configured in your deployment","type":"array","items":{"type":"object","required":["name","roles"],"properties":{"additionalConnectionStringConfig":{"description":"Additional options to be appended to the connection string.\nThese options apply only to this user and will override any existing options in the resource.","x-kubernetes-preserve-unknown-fields":true},"connectionStringSecretAnnotations":{"description":"ConnectionStringSecretAnnotations is the annotations of the secret object created by the operator which exposes the connection strings for the user.","type":"object","additionalProperties":{"type":"string"}},"connectionStringSecretName":{"description":"ConnectionStringSecretName is the name of the secret object created by the operator which exposes the connection strings for the user.\nIf provided, this secret must be different for each user in a deployment.","type":"string"},"connectionStringSecretNamespace":{"description":"ConnectionStringSecretNamespace is the namespace of the secret object created by the operator which exposes the connection strings for the user.","type":"string"},"db":{"description":"DB is the database the user is stored in. Defaults to \"admin\"","type":"string"},"name":{"description":"Name is the username of the user","type":"string"},"passwordSecretRef":{"description":"PasswordSecretRef is a reference to the secret containing this user's password","type":"object","required":["name"],"properties":{"key":{"description":"Key is the key in the secret storing this password. Defaults to \"password\"","type":"string"},"name":{"description":"Name is the name of the secret storing this user's password","type":"string"}}},"roles":{"description":"Roles is an array of roles assigned to this user","type":"array","items":{"description":"Role is the database role this user should have","type":"object","required":["db","name"],"properties":{"db":{"description":"DB is the database the role can act on","type":"string"},"name":{"description":"Name is the name of the role","type":"string"}}}},"scramCredentialsSecretName":{"description":"ScramCredentialsSecretName appended by string \"scram-credentials\" is the name of the secret object created by the mongoDB operator for storing SCRAM credentials\nThese secrets names must be different for each user in a deployment.","type":"string","pattern":"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"}}}},"version":{"description":"Version defines which version of MongoDB will be used","type":"string"}}},"status":{"description":"MongoDBCommunityStatus defines the observed state of MongoDB","type":"object","required":["currentMongoDBMembers","currentStatefulSetReplicas","mongoUri","phase"],"properties":{"currentMongoDBArbiters":{"type":"integer"},"currentMongoDBMembers":{"type":"integer"},"currentStatefulSetArbitersReplicas":{"type":"integer"},"currentStatefulSetReplicas":{"type":"integer"},"message":{"type":"string"},"mongoUri":{"type":"string"},"phase":{"type":"string"},"version":{"type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"mongodbcommunity.mongodb.com","kind":"MongoDBCommunity","version":"v1"}],"title":"com.mongodb.mongodbcommunity.v1.MongoDBCommunity"},"com.mongodb.mongodbcommunity.v1.MongoDBCommunityList":{"description":"MongoDBCommunityList is a list of MongoDBCommunity","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of mongodbcommunity. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.mongodb.mongodbcommunity.v1.MongoDBCommunity"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"mongodbcommunity.mongodb.com","kind":"MongoDBCommunityList","version":"v1"}],"title":"com.mongodb.mongodbcommunity.v1.MongoDBCommunityList"},"com.mongodb.v1.ClusterMongoDBRole":{"description":"ClusterMongoDBRole is the Schema for the clustermongodbroles API.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ClusterMongoDBRoleSpec defines the desired state of ClusterMongoDBRole.","required":["db","role"],"x-kubernetes-preserve-unknown-fields":true}},"x-kubernetes-group-version-kind":[{"group":"mongodb.com","kind":"ClusterMongoDBRole","version":"v1"}],"title":"com.mongodb.v1.ClusterMongoDBRole"},"com.mongodb.v1.ClusterMongoDBRoleList":{"description":"ClusterMongoDBRoleList is a list of ClusterMongoDBRole","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clustermongodbroles. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.mongodb.v1.ClusterMongoDBRole"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"mongodb.com","kind":"ClusterMongoDBRoleList","version":"v1"}],"title":"com.mongodb.v1.ClusterMongoDBRoleList"},"com.mongodb.v1.MongoDB":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"required":["credentials","type","version"],"x-kubernetes-preserve-unknown-fields":true},"status":{"type":"object","required":["phase","version"],"properties":{"backup":{"type":"object","required":["statusName"],"properties":{"statusName":{"type":"string"}}},"configServerCount":{"type":"integer"},"featureCompatibilityVersion":{"type":"string"},"lastTransition":{"type":"string"},"link":{"type":"string"},"members":{"type":"integer"},"message":{"type":"string"},"mongodsPerShardCount":{"type":"integer"},"mongosCount":{"type":"integer"},"observedGeneration":{"type":"integer","format":"int64"},"phase":{"type":"string"},"pvc":{"type":"array","items":{"type":"object","required":["phase","statefulsetName"],"properties":{"phase":{"type":"string"},"statefulsetName":{"type":"string"}}}},"resourcesNotReady":{"type":"array","items":{"description":"ResourceNotReady describes the dependent resource which is not ready yet","type":"object","required":["kind","name"],"properties":{"errors":{"type":"array","items":{"type":"object","properties":{"message":{"type":"string"},"reason":{"type":"string"}}}},"kind":{"description":"ResourceKind specifies a kind of a Kubernetes resource. Used in status of a Custom Resource","type":"string"},"message":{"type":"string"},"name":{"type":"string"}}}},"shardCount":{"type":"integer"},"sizeStatusInClusters":{"description":"MongodbShardedSizeStatusInClusters describes the number and sizes of replica sets members deployed across member clusters","type":"object","properties":{"configServerMongodsInClusters":{"type":"object","additionalProperties":{"type":"integer"}},"mongosCountInClusters":{"type":"object","additionalProperties":{"type":"integer"}},"shardMongodsInClusters":{"type":"object","additionalProperties":{"type":"integer"}},"shardOverridesInClusters":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"integer"}}}}},"version":{"type":"string"},"warnings":{"type":"array","items":{"type":"string"}}}}},"x-kubernetes-group-version-kind":[{"group":"mongodb.com","kind":"MongoDB","version":"v1"}],"title":"com.mongodb.v1.MongoDB"},"com.mongodb.v1.MongoDBList":{"description":"MongoDBList is a list of MongoDB","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of mongodb. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.mongodb.v1.MongoDB"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"mongodb.com","kind":"MongoDBList","version":"v1"}],"title":"com.mongodb.v1.MongoDBList"},"com.mongodb.v1.MongoDBMultiCluster":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"required":["credentials","type","version"],"x-kubernetes-preserve-unknown-fields":true},"status":{"type":"object","required":["phase","version"],"properties":{"backup":{"type":"object","required":["statusName"],"properties":{"statusName":{"type":"string"}}},"clusterStatusList":{"description":"ClusterStatusList holds a list of clusterStatuses corresponding to each cluster","type":"object","properties":{"clusterStatuses":{"type":"array","items":{"description":"ClusterStatusItem is the mongodb multi-cluster spec that is specific to a\nparticular Kubernetes cluster, this maps to the statefulset created in each cluster","type":"object","required":["phase"],"properties":{"clusterName":{"description":"ClusterName is name of the cluster where the MongoDB Statefulset will be scheduled, the\nname should have a one on one mapping with the service-account created in the central cluster\nto talk to the workload clusters.","type":"string"},"lastTransition":{"type":"string"},"members":{"type":"integer"},"message":{"type":"string"},"observedGeneration":{"type":"integer","format":"int64"},"phase":{"type":"string"},"pvc":{"type":"array","items":{"type":"object","required":["phase","statefulsetName"],"properties":{"phase":{"type":"string"},"statefulsetName":{"type":"string"}}}},"resourcesNotReady":{"type":"array","items":{"description":"ResourceNotReady describes the dependent resource which is not ready yet","type":"object","required":["kind","name"],"properties":{"errors":{"type":"array","items":{"type":"object","properties":{"message":{"type":"string"},"reason":{"type":"string"}}}},"kind":{"description":"ResourceKind specifies a kind of a Kubernetes resource. Used in status of a Custom Resource","type":"string"},"message":{"type":"string"},"name":{"type":"string"}}}},"warnings":{"type":"array","items":{"type":"string"}}}}}}},"featureCompatibilityVersion":{"type":"string"},"lastTransition":{"type":"string"},"link":{"type":"string"},"message":{"type":"string"},"observedGeneration":{"type":"integer","format":"int64"},"phase":{"type":"string"},"pvc":{"type":"array","items":{"type":"object","required":["phase","statefulsetName"],"properties":{"phase":{"type":"string"},"statefulsetName":{"type":"string"}}}},"resourcesNotReady":{"type":"array","items":{"description":"ResourceNotReady describes the dependent resource which is not ready yet","type":"object","required":["kind","name"],"properties":{"errors":{"type":"array","items":{"type":"object","properties":{"message":{"type":"string"},"reason":{"type":"string"}}}},"kind":{"description":"ResourceKind specifies a kind of a Kubernetes resource. Used in status of a Custom Resource","type":"string"},"message":{"type":"string"},"name":{"type":"string"}}}},"version":{"type":"string"},"warnings":{"type":"array","items":{"type":"string"}}}}},"x-kubernetes-group-version-kind":[{"group":"mongodb.com","kind":"MongoDBMultiCluster","version":"v1"}],"title":"com.mongodb.v1.MongoDBMultiCluster"},"com.mongodb.v1.MongoDBMultiClusterList":{"description":"MongoDBMultiClusterList is a list of MongoDBMultiCluster","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of mongodbmulticluster. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.mongodb.v1.MongoDBMultiCluster"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"mongodb.com","kind":"MongoDBMultiClusterList","version":"v1"}],"title":"com.mongodb.v1.MongoDBMultiClusterList"},"com.mongodb.v1.MongoDBOpsManager":{"description":"The MongoDBOpsManager resource allows you to deploy Ops Manager within your Kubernetes cluster","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["applicationDatabase","version"],"properties":{"adminCredentials":{"description":"AdminSecret is the secret for the first admin user to create\nhas the fields: \"Username\", \"Password\", \"FirstName\", \"LastName\"","type":"string"},"applicationDatabase":{"type":"object","required":["version"],"properties":{"additionalMongodConfig":{"description":"AdditionalMongodConfig are additional configurations that can be passed to\neach data-bearing mongod at runtime. Uses the same structure as the mongod\nconfiguration file:\nhttps://docs.mongodb.com/manual/reference/configuration-options/","x-kubernetes-preserve-unknown-fields":true},"agent":{"description":"specify configuration like startup flags and automation config settings for the AutomationAgent and MonitoringAgent","type":"object","properties":{"backupAgent":{"type":"object","properties":{"logRotate":{"description":"LogRotate configures log rotation for the BackupAgent processes","type":"object","properties":{"sizeThresholdMB":{"description":"Maximum size for an individual log file before rotation.\nOM only supports ints","type":"integer"},"timeThresholdHrs":{"description":"Number of hours after which this MongoDB Agent rotates the log file.","type":"integer"}}}}},"logLevel":{"type":"string"},"logRotate":{"description":"DEPRECATED please use mongod.logRotate","type":"object","required":["sizeThresholdMB","timeThresholdHrs"],"properties":{"includeAuditLogsWithMongoDBLogs":{"description":"set to 'true' to have the Automation Agent rotate the audit files along\nwith mongodb log files","type":"boolean"},"numTotal":{"description":"maximum number of log files to have total","type":"integer"},"numUncompressed":{"description":"maximum number of log files to leave uncompressed","type":"integer"},"percentOfDiskspace":{"description":"Maximum percentage of the total disk space these log files should take up.\nThe string needs to be able to be converted to float64","type":"string"},"sizeThresholdMB":{"description":"Maximum size for an individual log file before rotation.\nThe string needs to be able to be converted to float64.\nFractional values of MB are supported.","type":"string"},"timeThresholdHrs":{"description":"maximum hours for an individual log file before rotation","type":"integer"}}},"maxLogFileDurationHours":{"type":"integer"},"mongod":{"description":"AgentLoggingMongodConfig contain settings for the mongodb processes configured by the agent","type":"object","properties":{"auditlogRotate":{"description":"LogRotate configures audit log rotation for the mongodb processes","type":"object","required":["sizeThresholdMB","timeThresholdHrs"],"properties":{"includeAuditLogsWithMongoDBLogs":{"description":"set to 'true' to have the Automation Agent rotate the audit files along\nwith mongodb log files","type":"boolean"},"numTotal":{"description":"maximum number of log files to have total","type":"integer"},"numUncompressed":{"description":"maximum number of log files to leave uncompressed","type":"integer"},"percentOfDiskspace":{"description":"Maximum percentage of the total disk space these log files should take up.\nThe string needs to be able to be converted to float64","type":"string"},"sizeThresholdMB":{"description":"Maximum size for an individual log file before rotation.\nThe string needs to be able to be converted to float64.\nFractional values of MB are supported.","type":"string"},"timeThresholdHrs":{"description":"maximum hours for an individual log file before rotation","type":"integer"}}},"logRotate":{"description":"LogRotate configures log rotation for the mongodb processes","type":"object","required":["sizeThresholdMB","timeThresholdHrs"],"properties":{"includeAuditLogsWithMongoDBLogs":{"description":"set to 'true' to have the Automation Agent rotate the audit files along\nwith mongodb log files","type":"boolean"},"numTotal":{"description":"maximum number of log files to have total","type":"integer"},"numUncompressed":{"description":"maximum number of log files to leave uncompressed","type":"integer"},"percentOfDiskspace":{"description":"Maximum percentage of the total disk space these log files should take up.\nThe string needs to be able to be converted to float64","type":"string"},"sizeThresholdMB":{"description":"Maximum size for an individual log file before rotation.\nThe string needs to be able to be converted to float64.\nFractional values of MB are supported.","type":"string"},"timeThresholdHrs":{"description":"maximum hours for an individual log file before rotation","type":"integer"}}},"systemLog":{"description":"SystemLog configures system log of mongod","type":"object","required":["destination","logAppend","path"],"properties":{"destination":{"type":"string"},"logAppend":{"type":"boolean"},"path":{"type":"string"}}}}},"monitoringAgent":{"type":"object","properties":{"logRotate":{"description":"LogRotate configures log rotation for the BackupAgent processes","type":"object","properties":{"sizeThresholdMB":{"description":"Maximum size for an individual log file before rotation.\nOM only supports ints","type":"integer"},"timeThresholdHrs":{"description":"Number of hours after which this MongoDB Agent rotates the log file.","type":"integer"}}}}},"readinessProbe":{"type":"object","properties":{"environmentVariables":{"type":"object","additionalProperties":{"type":"string"}}}},"startupOptions":{"description":"StartupParameters can be used to configure the startup parameters with which the agent starts. That also contains\nlog rotation settings as defined here:","type":"object","additionalProperties":{"type":"string"}},"systemLog":{"description":"DEPRECATED please use mongod.systemLog","type":"object","required":["destination","logAppend","path"],"properties":{"destination":{"type":"string"},"logAppend":{"type":"boolean"},"path":{"type":"string"}}}}},"automationConfig":{"description":"AutomationConfigOverride holds any fields that will be merged on top of the Automation Config\nthat the operator creates for the AppDB. Currently only the process.disabled and logRotate field is recognized.","type":"object","properties":{"processes":{"type":"array","items":{"description":"OverrideProcess contains fields that we can override on the AutomationConfig processes.","type":"object","required":["disabled","name"],"properties":{"disabled":{"type":"boolean"},"logRotate":{"description":"CrdLogRotate is the crd definition of LogRotate including fields in strings while the agent supports them as float64","type":"object","required":["sizeThresholdMB","timeThresholdHrs"],"properties":{"includeAuditLogsWithMongoDBLogs":{"description":"set to 'true' to have the Automation Agent rotate the audit files along\nwith mongodb log files","type":"boolean"},"numTotal":{"description":"maximum number of log files to have total","type":"integer"},"numUncompressed":{"description":"maximum number of log files to leave uncompressed","type":"integer"},"percentOfDiskspace":{"description":"Maximum percentage of the total disk space these log files should take up.\nThe string needs to be able to be converted to float64","type":"string"},"sizeThresholdMB":{"description":"Maximum size for an individual log file before rotation.\nThe string needs to be able to be converted to float64.\nFractional values of MB are supported.","type":"string"},"timeThresholdHrs":{"description":"maximum hours for an individual log file before rotation","type":"integer"}}},"name":{"type":"string"}}}},"replicaSet":{"type":"object","properties":{"id":{"description":"Id can be used together with additionalMongodConfig.replication.replSetName\nto manage clusters where replSetName differs from the MongoDBCommunity resource name","type":"string"},"settings":{"description":"MapWrapper is a wrapper for a map to be used by other structs.\nThe CRD generator does not support map[string]interface{}\non the top level and hence we need to work around this with\na wrapping struct.","x-kubernetes-preserve-unknown-fields":true}}}}},"cloudManager":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"}}}}},"clusterDomain":{"type":"string"},"clusterSpecList":{"type":"array","items":{"description":"ClusterSpecItem is the mongodb multi-cluster spec that is specific to a\nparticular Kubernetes cluster, this maps to the statefulset created in each cluster","type":"object","required":["members"],"properties":{"clusterName":{"description":"ClusterName is name of the cluster where the MongoDB Statefulset will be scheduled, the\nname should have a one on one mapping with the service-account created in the central cluster\nto talk to the workload clusters.","type":"string"},"externalAccess":{"description":"ExternalAccessConfiguration provides external access configuration for Multi-Cluster.","type":"object","properties":{"externalDomain":{"description":"An external domain that is used for exposing MongoDB to the outside world.","type":"string"},"externalService":{"description":"Provides a way to override the default (NodePort) Service","type":"object","properties":{"annotations":{"description":"A map of annotations that shall be added to the externally available Service.","type":"object","additionalProperties":{"type":"string"}},"spec":{"description":"A wrapper for the Service spec object.","x-kubernetes-preserve-unknown-fields":true}}}}},"memberConfig":{"description":"MemberConfig allows to specify votes, priorities and tags for each of the mongodb process.","type":"array","items":{"type":"object","properties":{"priority":{"type":"string"},"tags":{"type":"object","additionalProperties":{"type":"string"}},"votes":{"type":"integer"}}}},"members":{"description":"Amount of members for this MongoDB Replica Set","type":"integer"},"podSpec":{"type":"object","properties":{"persistence":{"description":"Note, that this field is used by MongoDB resources only, let's keep it here for simplicity","type":"object","properties":{"multiple":{"type":"object","properties":{"data":{"type":"object","properties":{"labelSelector":{"x-kubernetes-preserve-unknown-fields":true},"storage":{"type":"string"},"storageClass":{"type":"string"}}},"journal":{"type":"object","properties":{"labelSelector":{"x-kubernetes-preserve-unknown-fields":true},"storage":{"type":"string"},"storageClass":{"type":"string"}}},"logs":{"type":"object","properties":{"labelSelector":{"x-kubernetes-preserve-unknown-fields":true},"storage":{"type":"string"},"storageClass":{"type":"string"}}}}},"single":{"type":"object","properties":{"labelSelector":{"x-kubernetes-preserve-unknown-fields":true},"storage":{"type":"string"},"storageClass":{"type":"string"}}}}},"podTemplate":{"x-kubernetes-preserve-unknown-fields":true}}},"service":{"description":"this is an optional service, it will get the name \"<rsName>-service\" in case not provided","type":"string"},"statefulSet":{"description":"StatefulSetConfiguration holds the optional custom StatefulSet\nthat should be merged into the operator created one.","type":"object","required":["spec"],"properties":{"metadata":{"description":"StatefulSetMetadataWrapper is a wrapper around Labels and Annotations","type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"spec":{"x-kubernetes-preserve-unknown-fields":true}}}}}},"connectivity":{"type":"object","properties":{"replicaSetHorizons":{"description":"ReplicaSetHorizons holds list of maps of horizons to be configured in each of MongoDB processes.\nHorizons map horizon names to the node addresses for each process in the replicaset, e.g.:\n [\n   {\n     \"internal\": \"my-rs-0.my-internal-domain.com:31843\",\n     \"external\": \"my-rs-0.my-external-domain.com:21467\"\n   },\n   {\n     \"internal\": \"my-rs-1.my-internal-domain.com:31843\",\n     \"external\": \"my-rs-1.my-external-domain.com:21467\"\n   },\n   ...\n ]\nThe key of each item in the map is an arbitrary, user-chosen string that\nrepresents the name of the horizon. The value of the item is the host and,\noptionally, the port that this mongod node will be connected to from.","type":"array","items":{"type":"object","additionalProperties":{"type":"string"}}}}},"credentials":{"description":"Name of the Secret holding credentials information","type":"string"},"externalAccess":{"description":"ExternalAccessConfiguration provides external access configuration.","type":"object","properties":{"externalDomain":{"description":"An external domain that is used for exposing MongoDB to the outside world.","type":"string"},"externalService":{"description":"Provides a way to override the default (NodePort) Service","type":"object","properties":{"annotations":{"description":"A map of annotations that shall be added to the externally available Service.","type":"object","additionalProperties":{"type":"string"}},"spec":{"description":"A wrapper for the Service spec object.","x-kubernetes-preserve-unknown-fields":true}}}}},"featureCompatibilityVersion":{"type":"string"},"memberConfig":{"description":"MemberConfig allows to specify votes, priorities and tags for each of the mongodb process.","type":"array","items":{"type":"object","properties":{"priority":{"type":"string"},"tags":{"type":"object","additionalProperties":{"type":"string"}},"votes":{"type":"integer"}}}},"members":{"description":"Amount of members for this MongoDB Replica Set","type":"integer","maximum":50,"minimum":3},"monitoringAgent":{"description":"Specify configuration like startup flags just for the MonitoringAgent.\nThese take precedence over\nthe flags set in AutomationAgent","type":"object","required":["startupOptions"],"properties":{"startupOptions":{"description":"StartupParameters can be used to configure the startup parameters with which the agent starts. That also contains\nlog rotation settings as defined here:","type":"object","additionalProperties":{"type":"string"}}}},"opsManager":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"}}}}},"passwordSecretKeyRef":{"description":"PasswordSecretKeyRef contains a reference to the secret which contains the password\nfor the mongodb-ops-manager SCRAM-SHA user","type":"object","required":["name"],"properties":{"key":{"type":"string"},"name":{"type":"string"}}},"podSpec":{"type":"object","properties":{"persistence":{"description":"Note, that this field is used by MongoDB resources only, let's keep it here for simplicity","type":"object","properties":{"multiple":{"type":"object","properties":{"data":{"type":"object","properties":{"labelSelector":{"x-kubernetes-preserve-unknown-fields":true},"storage":{"type":"string"},"storageClass":{"type":"string"}}},"journal":{"type":"object","properties":{"labelSelector":{"x-kubernetes-preserve-unknown-fields":true},"storage":{"type":"string"},"storageClass":{"type":"string"}}},"logs":{"type":"object","properties":{"labelSelector":{"x-kubernetes-preserve-unknown-fields":true},"storage":{"type":"string"},"storageClass":{"type":"string"}}}}},"single":{"type":"object","properties":{"labelSelector":{"x-kubernetes-preserve-unknown-fields":true},"storage":{"type":"string"},"storageClass":{"type":"string"}}}}},"podTemplate":{"x-kubernetes-preserve-unknown-fields":true}}},"prometheus":{"description":"Enables Prometheus integration on the AppDB.","type":"object","required":["passwordSecretRef","username"],"properties":{"metricsPath":{"description":"Indicates path to the metrics endpoint.","type":"string","pattern":"^\\/[a-z0-9]+$"},"passwordSecretRef":{"description":"Name of a Secret containing a HTTP Basic Auth Password.","type":"object","required":["name"],"properties":{"key":{"description":"Key is the key in the secret storing this password. Defaults to \"password\"","type":"string"},"name":{"description":"Name is the name of the secret storing this user's password","type":"string"}}},"port":{"description":"Port where metrics endpoint will bind to. Defaults to 9216.","type":"integer"},"tlsSecretKeyRef":{"description":"Name of a Secret (type kubernetes.io/tls) holding the certificates to use in the\nPrometheus endpoint.","type":"object","required":["name"],"properties":{"key":{"description":"Key is the key in the secret storing this password. Defaults to \"password\"","type":"string"},"name":{"description":"Name is the name of the secret storing this user's password","type":"string"}}},"username":{"description":"HTTP Basic Auth Username for metrics endpoint.","type":"string"}}},"security":{"type":"object","properties":{"authentication":{"description":"Authentication holds various authentication related settings that affect\nthis MongoDB resource.","type":"object","required":["enabled"],"properties":{"agents":{"description":"Agents contains authentication configuration properties for the agents","type":"object","required":["mode"],"properties":{"automationLdapGroupDN":{"type":"string"},"automationPasswordSecretRef":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"automationUserName":{"type":"string"},"clientCertificateSecretRef":{"x-kubernetes-preserve-unknown-fields":true},"mode":{"description":"Mode is the desired Authentication mode that the agents will use","type":"string"}}},"enabled":{"type":"boolean"},"ignoreUnknownUsers":{"description":"IgnoreUnknownUsers maps to the inverse of auth.authoritativeSet","type":"boolean"},"internalCluster":{"type":"string"},"ldap":{"description":"LDAP Configuration","type":"object","properties":{"authzQueryTemplate":{"type":"string"},"bindQueryPasswordSecretRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"}}},"bindQueryUser":{"type":"string"},"caConfigMapRef":{"description":"Allows to point at a ConfigMap/key with a CA file to mount on the Pod","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"servers":{"type":"array","items":{"type":"string"}},"timeoutMS":{"type":"integer"},"transportSecurity":{"type":"string","enum":["tls","none"]},"userCacheInvalidationInterval":{"type":"integer"},"userToDNMapping":{"type":"string"},"validateLDAPServerConfig":{"type":"boolean"}}},"modes":{"type":"array","items":{"type":"string","enum":["X509","SCRAM","SCRAM-SHA-1","MONGODB-CR","SCRAM-SHA-256","LDAP","OIDC"]}},"oidcProviderConfigs":{"description":"Configuration for OIDC providers","type":"array","items":{"type":"object","required":["audience","authorizationMethod","authorizationType","configurationName","issuerURI","userClaim"],"properties":{"audience":{"description":"Entity that your external identity provider intends the token for.\nEnter the audience value from the app you registered with external Identity Provider.","type":"string"},"authorizationMethod":{"description":"Configure single-sign-on for human user access to deployments with Workforce Identity Federation.\nFor programmatic, application access to deployments use Workload Identity Federation.\nOnly one Workforce Identity Federation IdP can be configured per MongoDB resource","type":"string","enum":["WorkforceIdentityFederation","WorkloadIdentityFederation"]},"authorizationType":{"description":"Select GroupMembership to grant authorization based on IdP user group membership, or select UserID to grant\nan individual user authorization.","type":"string","enum":["GroupMembership","UserID"]},"clientId":{"description":"Unique identifier for your registered application. Enter the clientId value from the app you\nregistered with an external Identity Provider.\nRequired when selected Workforce Identity Federation authorization method","type":"string"},"configurationName":{"description":"Unique label that identifies this configuration. It is case-sensitive and can only contain the following characters:\n - alphanumeric characters (combination of a to z and 0 to 9)\n - hyphens (-)\n - underscores (_)","type":"string","pattern":"^[a-zA-Z0-9-_]+$"},"groupsClaim":{"description":"The identifier of the claim that includes the principal's IdP user group membership information.\nRequired when selected GroupMembership as the authorization type, ignored otherwise","type":"string"},"issuerURI":{"description":"Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider\nConfiguration Document, which should be available in the /.wellknown/open-id-configuration endpoint.\nFor MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.\nFor other MongoDB versions, the issuerURI itself must be unique.","type":"string"},"requestedScopes":{"description":"Tokens that give users permission to request data from the authorization endpoint.\nOnly used for Workforce Identity Federation authorization method","type":"array","items":{"type":"string"}},"userClaim":{"description":"The identifier of the claim that includes the user principal identity.\nAccept the default value unless your IdP uses a different claim.","type":"string"}}}},"requireClientTLSAuthentication":{"description":"Clients should present valid TLS certificates","type":"boolean"}}},"certsSecretPrefix":{"type":"string"},"roleRefs":{"type":"array","items":{"type":"object","required":["kind","name"],"properties":{"kind":{"type":"string","enum":["ClusterMongoDBRole"]},"name":{"type":"string"}}}},"roles":{"type":"array","items":{"type":"object","required":["db","role"],"properties":{"authenticationRestrictions":{"type":"array","items":{"type":"object","properties":{"clientSource":{"type":"array","items":{"type":"string"}},"serverAddress":{"type":"array","items":{"type":"string"}}}}},"db":{"type":"string"},"privileges":{"type":"array","items":{"type":"object","required":["actions","resource"],"properties":{"actions":{"type":"array","items":{"type":"string"}},"resource":{"type":"object","properties":{"cluster":{"type":"boolean"},"collection":{"type":"string"},"db":{"type":"string"}}}}}},"role":{"type":"string"},"roles":{"type":"array","items":{"type":"object","required":["db","role"],"properties":{"db":{"type":"string"},"role":{"type":"string"}}}}}}},"tls":{"type":"object","properties":{"additionalCertificateDomains":{"type":"array","items":{"type":"string"}},"ca":{"description":"CA corresponds to a ConfigMap containing an entry for the CA certificate (ca.pem)\nused to validate the certificates created already.","type":"string"},"enabled":{"description":"DEPRECATED please enable TLS by setting `security.certsSecretPrefix` or `security.tls.secretRef.prefix`.\nEnables TLS for this resource. This will make the operator try to mount a\nSecret with a defined name (<resource-name>-cert).\nThis is only used when enabling TLS on a MongoDB resource, and not on the\nAppDB, where TLS is configured by setting `secretRef.Name`.","type":"boolean"}}}},"x-kubernetes-validations":[{"message":"At most one of roles or roleRefs can be non-empty","rule":"!(has(self.roles) && has(self.roleRefs)) || !(self.roles.size() > 0 && self.roleRefs.size() > 0)"}]},"service":{"description":"this is an optional service, it will get the name \"<rsName>-svc\" in case not provided","type":"string"},"topology":{"type":"string","enum":["SingleCluster","MultiCluster"]},"type":{"type":"string","enum":["Standalone","ReplicaSet","ShardedCluster"]},"version":{"type":"string","pattern":"^[0-9]+.[0-9]+.[0-9]+(-.+)?$|^$"}}},"backup":{"description":"Backup","type":"object","required":["enabled"],"properties":{"assignmentLabels":{"description":"Assignment Labels set in the Ops Manager","type":"array","items":{"type":"string"}},"blockStores":{"type":"array","items":{"description":"DataStoreConfig is the description of the config used to reference to database. Reused by Oplog and Block stores\nOptionally references the user if the Mongodb is configured with authentication","type":"object","required":["mongodbResourceRef","name"],"properties":{"assignmentLabels":{"description":"Assignment Labels set in the Ops Manager","type":"array","items":{"type":"string"}},"mongodbResourceRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"namespace":{"type":"string"}}},"mongodbUserRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"}}},"name":{"type":"string"}}}},"enabled":{"description":"Enabled indicates if Backups will be enabled for this Ops Manager.","type":"boolean"},"encryption":{"description":"Encryption settings","type":"object","properties":{"kmip":{"description":"Kmip corresponds to the KMIP configuration assigned to the Ops Manager Project's configuration.","type":"object","required":["server"],"properties":{"server":{"description":"KMIP Server configuration","type":"object","required":["ca","url"],"properties":{"ca":{"description":"CA corresponds to a ConfigMap containing an entry for the CA certificate (ca.pem)\nused for KMIP authentication","type":"string"},"url":{"description":"KMIP Server url in the following format: hostname:port\nValid examples are:\n  10.10.10.3:5696\n  my-kmip-server.mycorp.com:5696\n  kmip-svc.svc.cluster.local:5696","type":"string","pattern":"[^\\:]+:[0-9]{0,5}"}}}}}}},"externalServiceEnabled":{"type":"boolean"},"fileSystemStores":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"}}}},"headDB":{"description":"HeadDB specifies configuration options for the HeadDB","type":"object","properties":{"labelSelector":{"x-kubernetes-preserve-unknown-fields":true},"storage":{"type":"string"},"storageClass":{"type":"string"}}},"jvmParameters":{"type":"array","items":{"type":"string"}},"logging":{"type":"object","properties":{"LogBackAccessRef":{"description":"LogBackAccessRef points at a ConfigMap/key with the logback access configuration file to mount on the Pod","type":"object","properties":{"name":{"type":"string"}}},"LogBackRef":{"description":"LogBackRef points at a ConfigMap/key with the logback configuration file to mount on the Pod","type":"object","properties":{"name":{"type":"string"}}}}},"members":{"description":"Members indicate the number of backup daemon pods to create.","type":"integer","minimum":1},"opLogStores":{"description":"OplogStoreConfigs describes the list of oplog store configs used for backup","type":"array","items":{"description":"DataStoreConfig is the description of the config used to reference to database. Reused by Oplog and Block stores\nOptionally references the user if the Mongodb is configured with authentication","type":"object","required":["mongodbResourceRef","name"],"properties":{"assignmentLabels":{"description":"Assignment Labels set in the Ops Manager","type":"array","items":{"type":"string"}},"mongodbResourceRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"namespace":{"type":"string"}}},"mongodbUserRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"}}},"name":{"type":"string"}}}},"queryableBackupSecretRef":{"description":"QueryableBackupSecretRef references the secret which contains the pem file which is used\nfor queryable backup. This will be mounted into the Ops Manager pod.","type":"object","required":["name"],"properties":{"name":{"type":"string"}}},"s3OpLogStores":{"description":"S3OplogStoreConfigs describes the list of s3 oplog store configs used for backup.","type":"array","items":{"type":"object","required":["name","pathStyleAccessEnabled","s3BucketEndpoint","s3BucketName"],"properties":{"assignmentLabels":{"description":"Assignment Labels set in the Ops Manager","type":"array","items":{"type":"string"}},"customCertificate":{"description":"Set this to \"true\" to use the appDBCa as a CA to access S3.\nDeprecated: This has been replaced by CustomCertificateSecretRefs,\nIn the future all custom certificates, which includes the appDBCa\nfor s3Config should be configured in CustomCertificateSecretRefs instead.","type":"boolean"},"customCertificateSecretRefs":{"description":"CustomCertificateSecretRefs is a list of valid Certificate Authority certificate secrets\nthat apply to the associated S3 bucket.","type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"irsaEnabled":{"description":"This is only set to \"true\" when a user is running in EKS and is using AWS IRSA to configure\nS3 snapshot store. For more details refer this: https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/","type":"boolean"},"mongodbResourceRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"namespace":{"type":"string"}}},"mongodbUserRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"}}},"name":{"type":"string"},"pathStyleAccessEnabled":{"type":"boolean"},"s3BucketEndpoint":{"type":"string"},"s3BucketName":{"type":"string"},"s3RegionOverride":{"type":"string"},"s3SecretRef":{"description":"S3SecretRef is the secret that contains the AWS credentials used to access S3\nIt is optional because the credentials can be provided via AWS IRSA","type":"object","required":["name"],"properties":{"name":{"type":"string"}}}}}},"s3Stores":{"type":"array","items":{"type":"object","required":["name","pathStyleAccessEnabled","s3BucketEndpoint","s3BucketName"],"properties":{"assignmentLabels":{"description":"Assignment Labels set in the Ops Manager","type":"array","items":{"type":"string"}},"customCertificate":{"description":"Set this to \"true\" to use the appDBCa as a CA to access S3.\nDeprecated: This has been replaced by CustomCertificateSecretRefs,\nIn the future all custom certificates, which includes the appDBCa\nfor s3Config should be configured in CustomCertificateSecretRefs instead.","type":"boolean"},"customCertificateSecretRefs":{"description":"CustomCertificateSecretRefs is a list of valid Certificate Authority certificate secrets\nthat apply to the associated S3 bucket.","type":"array","items":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"}},"irsaEnabled":{"description":"This is only set to \"true\" when a user is running in EKS and is using AWS IRSA to configure\nS3 snapshot store. For more details refer this: https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/","type":"boolean"},"mongodbResourceRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"namespace":{"type":"string"}}},"mongodbUserRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"}}},"name":{"type":"string"},"pathStyleAccessEnabled":{"type":"boolean"},"s3BucketEndpoint":{"type":"string"},"s3BucketName":{"type":"string"},"s3RegionOverride":{"type":"string"},"s3SecretRef":{"description":"S3SecretRef is the secret that contains the AWS credentials used to access S3\nIt is optional because the credentials can be provided via AWS IRSA","type":"object","required":["name"],"properties":{"name":{"type":"string"}}}}}},"statefulSet":{"description":"StatefulSetConfiguration holds the optional custom StatefulSet\nthat should be merged into the operator created one.","type":"object","required":["spec"],"properties":{"metadata":{"description":"StatefulSetMetadataWrapper is a wrapper around Labels and Annotations","type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"spec":{"x-kubernetes-preserve-unknown-fields":true}}}}},"clusterDomain":{"type":"string","format":"hostname"},"clusterName":{"description":"Deprecated: This has been replaced by the ClusterDomain which should be\nused instead","type":"string","format":"hostname"},"clusterSpecList":{"type":"array","items":{"description":"ClusterSpecOMItem defines members cluster details for Ops Manager multi-cluster deployment.","type":"object","required":["clusterName","members"],"properties":{"backup":{"description":"Backup contains settings to override from top-level `spec.backup` for this member cluster.\nIf the value is not set here, then the value is taken from `spec.backup`.","type":"object","required":["members"],"properties":{"assignmentLabels":{"description":"Assignment Labels set in the Ops Manager","type":"array","items":{"type":"string"}},"headDB":{"description":"HeadDB specifies configuration options for the HeadDB","type":"object","properties":{"labelSelector":{"x-kubernetes-preserve-unknown-fields":true},"storage":{"type":"string"},"storageClass":{"type":"string"}}},"jvmParameters":{"type":"array","items":{"type":"string"}},"members":{"description":"Members indicate the number of backup daemon pods to create.","type":"integer","minimum":0},"statefulSet":{"description":"StatefulSetConfiguration specified optional overrides for backup datemon statefulset.","type":"object","required":["spec"],"properties":{"metadata":{"description":"StatefulSetMetadataWrapper is a wrapper around Labels and Annotations","type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"spec":{"x-kubernetes-preserve-unknown-fields":true}}}}},"clusterDomain":{"description":"Cluster domain to override the default *.svc.cluster.local if the default cluster domain has been changed on a cluster level.","type":"string","format":"hostname"},"clusterName":{"description":"ClusterName is name of the cluster where the Ops Manager Statefulset will be scheduled.\nThe operator is using ClusterName to find API credentials in `mongodb-kubernetes-operator-member-list` config map to use for this member cluster.\nIf the credentials are not found, then the member cluster is considered unreachable and ignored in the reconcile process.","type":"string"},"configuration":{"description":"The configuration properties passed to Ops Manager and Backup Daemon in this cluster.\nIf specified (not empty) then this field overrides `spec.configuration` field entirely.\nIf not specified, then `spec.configuration` field is used for the Ops Manager and Backup Daemon instances in this cluster.","type":"object","additionalProperties":{"type":"string"}},"externalConnectivity":{"description":"MongoDBOpsManagerExternalConnectivity if sets allows for the creation of a Service for\naccessing Ops Manager instances in this member cluster from outside the Kubernetes cluster.\nIf specified (even if provided empty) then this field overrides `spec.externalConnectivity` field entirely.\nIf not specified, then `spec.externalConnectivity` field is used for the Ops Manager and Backup Daemon instances in this cluster.","type":"object","required":["type"],"properties":{"annotations":{"description":"Annotations is a list of annotations to be directly passed to the Service object.","type":"object","additionalProperties":{"type":"string"}},"clusterIP":{"description":"ClusterIP IP that will be assigned to this Service when creating a ClusterIP type Service","type":"string"},"externalTrafficPolicy":{"description":"ExternalTrafficPolicy mechanism to preserve the client source IP.\nOnly supported on GCE and Google Kubernetes Engine.","type":"string","enum":["Cluster","Local"]},"loadBalancerIP":{"description":"LoadBalancerIP IP that will be assigned to this LoadBalancer.","type":"string"},"port":{"description":"Port in which this `Service` will listen to, this applies to `NodePort`.","type":"integer","format":"int32"},"type":{"description":"Type of the `Service` to be created.","type":"string","enum":["LoadBalancer","NodePort","ClusterIP"]}}},"jvmParameters":{"description":"JVM parameters to pass to Ops Manager and Backup Daemon instances in this member cluster.\nIf specified (not empty) then this field overrides `spec.jvmParameters` field entirely.\nIf not specified, then `spec.jvmParameters` field is used for the Ops Manager and Backup Daemon instances in this cluster.","type":"array","items":{"type":"string"}},"members":{"description":"Number of Ops Manager instances in this member cluster.","type":"integer"},"statefulSet":{"description":"Configure custom StatefulSet configuration to override in Ops Manager's statefulset in this member cluster.\nIf specified (even if provided empty) then this field overrides `spec.externalConnectivity` field entirely.\nIf not specified, then `spec.externalConnectivity` field is used for the Ops Manager and Backup Daemon instances in this cluster.","type":"object","required":["spec"],"properties":{"metadata":{"description":"StatefulSetMetadataWrapper is a wrapper around Labels and Annotations","type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"spec":{"x-kubernetes-preserve-unknown-fields":true}}}}}},"configuration":{"description":"The configuration properties passed to Ops Manager/Backup Daemon","type":"object","additionalProperties":{"type":"string"}},"externalConnectivity":{"description":"MongoDBOpsManagerExternalConnectivity if sets allows for the creation of a Service for\naccessing this Ops Manager resource from outside the Kubernetes cluster.","type":"object","required":["type"],"properties":{"annotations":{"description":"Annotations is a list of annotations to be directly passed to the Service object.","type":"object","additionalProperties":{"type":"string"}},"clusterIP":{"description":"ClusterIP IP that will be assigned to this Service when creating a ClusterIP type Service","type":"string"},"externalTrafficPolicy":{"description":"ExternalTrafficPolicy mechanism to preserve the client source IP.\nOnly supported on GCE and Google Kubernetes Engine.","type":"string","enum":["Cluster","Local"]},"loadBalancerIP":{"description":"LoadBalancerIP IP that will be assigned to this LoadBalancer.","type":"string"},"port":{"description":"Port in which this `Service` will listen to, this applies to `NodePort`.","type":"integer","format":"int32"},"type":{"description":"Type of the `Service` to be created.","type":"string","enum":["LoadBalancer","NodePort","ClusterIP"]}}},"internalConnectivity":{"description":"InternalConnectivity if set allows for overriding the settings of the default service\nused for internal connectivity to the OpsManager servers.","type":"object","required":["type"],"properties":{"annotations":{"description":"Annotations is a list of annotations to be directly passed to the Service object.","type":"object","additionalProperties":{"type":"string"}},"clusterIP":{"description":"ClusterIP IP that will be assigned to this Service when creating a ClusterIP type Service","type":"string"},"externalTrafficPolicy":{"description":"ExternalTrafficPolicy mechanism to preserve the client source IP.\nOnly supported on GCE and Google Kubernetes Engine.","type":"string","enum":["Cluster","Local"]},"loadBalancerIP":{"description":"LoadBalancerIP IP that will be assigned to this LoadBalancer.","type":"string"},"port":{"description":"Port in which this `Service` will listen to, this applies to `NodePort`.","type":"integer","format":"int32"},"type":{"description":"Type of the `Service` to be created.","type":"string","enum":["LoadBalancer","NodePort","ClusterIP"]}}},"jvmParameters":{"description":"Custom JVM parameters passed to the Ops Manager JVM","type":"array","items":{"type":"string"}},"logging":{"type":"object","properties":{"LogBackAccessRef":{"description":"LogBackAccessRef points at a ConfigMap/key with the logback access configuration file to mount on the Pod","type":"object","properties":{"name":{"type":"string"}}},"LogBackRef":{"description":"LogBackRef points at a ConfigMap/key with the logback configuration file to mount on the Pod","type":"object","properties":{"name":{"type":"string"}}}}},"opsManagerURL":{"description":"OpsManagerURL specified the URL with which the operator and AppDB monitoring agent should access Ops Manager instance (or instances).\nWhen not set, the operator is using FQDN of Ops Manager's headless service `{name}-svc.{namespace}.svc.cluster.local` to connect to the instance. If that URL cannot be used, then URL in this field should be provided for the operator to connect to Ops Manager instances.","type":"string"},"replicas":{"type":"integer","minimum":1},"security":{"description":"Configure HTTPS.","type":"object","properties":{"certsSecretPrefix":{"type":"string"},"tls":{"type":"object","properties":{"ca":{"type":"string"},"secretRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"}}}}}}},"statefulSet":{"description":"Configure custom StatefulSet configuration","type":"object","required":["spec"],"properties":{"metadata":{"description":"StatefulSetMetadataWrapper is a wrapper around Labels and Annotations","type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"spec":{"x-kubernetes-preserve-unknown-fields":true}}},"topology":{"description":"Topology sets the desired cluster topology of Ops Manager deployment.\nIt defaults (and if not set) to SingleCluster. If MultiCluster specified,\nthen clusterSpecList field is mandatory and at least one member cluster has to be specified.","type":"string","enum":["SingleCluster","MultiCluster"]},"version":{"type":"string"}}},"status":{"type":"object","properties":{"applicationDatabase":{"type":"object","required":["phase","version"],"properties":{"backup":{"type":"object","required":["statusName"],"properties":{"statusName":{"type":"string"}}},"clusterStatusList":{"type":"array","items":{"type":"object","properties":{"clusterName":{"type":"string"},"members":{"type":"integer"}}}},"configServerCount":{"type":"integer"},"featureCompatibilityVersion":{"type":"string"},"lastTransition":{"type":"string"},"link":{"type":"string"},"members":{"type":"integer"},"message":{"type":"string"},"mongodsPerShardCount":{"type":"integer"},"mongosCount":{"type":"integer"},"observedGeneration":{"type":"integer","format":"int64"},"phase":{"type":"string"},"pvc":{"type":"array","items":{"type":"object","required":["phase","statefulsetName"],"properties":{"phase":{"type":"string"},"statefulsetName":{"type":"string"}}}},"resourcesNotReady":{"type":"array","items":{"description":"ResourceNotReady describes the dependent resource which is not ready yet","type":"object","required":["kind","name"],"properties":{"errors":{"type":"array","items":{"type":"object","properties":{"message":{"type":"string"},"reason":{"type":"string"}}}},"kind":{"description":"ResourceKind specifies a kind of a Kubernetes resource. Used in status of a Custom Resource","type":"string"},"message":{"type":"string"},"name":{"type":"string"}}}},"shardCount":{"type":"integer"},"sizeStatusInClusters":{"description":"MongodbShardedSizeStatusInClusters describes the number and sizes of replica sets members deployed across member clusters","type":"object","properties":{"configServerMongodsInClusters":{"type":"object","additionalProperties":{"type":"integer"}},"mongosCountInClusters":{"type":"object","additionalProperties":{"type":"integer"}},"shardMongodsInClusters":{"type":"object","additionalProperties":{"type":"integer"}},"shardOverridesInClusters":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"integer"}}}}},"version":{"type":"string"},"warnings":{"type":"array","items":{"type":"string"}}}},"backup":{"type":"object","required":["phase"],"properties":{"clusterStatusList":{"type":"array","items":{"type":"object","properties":{"clusterName":{"type":"string"},"replicas":{"type":"integer"}}}},"lastTransition":{"type":"string"},"message":{"type":"string"},"observedGeneration":{"type":"integer","format":"int64"},"phase":{"type":"string"},"pvc":{"type":"array","items":{"type":"object","required":["phase","statefulsetName"],"properties":{"phase":{"type":"string"},"statefulsetName":{"type":"string"}}}},"resourcesNotReady":{"type":"array","items":{"description":"ResourceNotReady describes the dependent resource which is not ready yet","type":"object","required":["kind","name"],"properties":{"errors":{"type":"array","items":{"type":"object","properties":{"message":{"type":"string"},"reason":{"type":"string"}}}},"kind":{"description":"ResourceKind specifies a kind of a Kubernetes resource. Used in status of a Custom Resource","type":"string"},"message":{"type":"string"},"name":{"type":"string"}}}},"version":{"type":"string"},"warnings":{"type":"array","items":{"type":"string"}}}},"opsManager":{"type":"object","required":["phase"],"properties":{"clusterStatusList":{"type":"array","items":{"type":"object","properties":{"clusterName":{"type":"string"},"replicas":{"type":"integer"}}}},"lastTransition":{"type":"string"},"message":{"type":"string"},"observedGeneration":{"type":"integer","format":"int64"},"phase":{"type":"string"},"pvc":{"type":"array","items":{"type":"object","required":["phase","statefulsetName"],"properties":{"phase":{"type":"string"},"statefulsetName":{"type":"string"}}}},"replicas":{"type":"integer"},"resourcesNotReady":{"type":"array","items":{"description":"ResourceNotReady describes the dependent resource which is not ready yet","type":"object","required":["kind","name"],"properties":{"errors":{"type":"array","items":{"type":"object","properties":{"message":{"type":"string"},"reason":{"type":"string"}}}},"kind":{"description":"ResourceKind specifies a kind of a Kubernetes resource. Used in status of a Custom Resource","type":"string"},"message":{"type":"string"},"name":{"type":"string"}}}},"url":{"type":"string"},"version":{"type":"string"},"warnings":{"type":"array","items":{"type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"mongodb.com","kind":"MongoDBOpsManager","version":"v1"}],"title":"com.mongodb.v1.MongoDBOpsManager"},"com.mongodb.v1.MongoDBOpsManagerList":{"description":"MongoDBOpsManagerList is a list of MongoDBOpsManager","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of opsmanagers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.mongodb.v1.MongoDBOpsManager"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"mongodb.com","kind":"MongoDBOpsManagerList","version":"v1"}],"title":"com.mongodb.v1.MongoDBOpsManagerList"},"com.mongodb.v1.MongoDBSearch":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","properties":{"logLevel":{"description":"Configure verbosity of mongot logs. Defaults to INFO if not set.","type":"string","enum":["TRACE","DEBUG","INFO","WARN","ERROR"]},"persistence":{"description":"Configure MongoDB Search's persistent volume. If not defined, the operator will request 10GB of storage.","type":"object","properties":{"multiple":{"type":"object","properties":{"data":{"type":"object","properties":{"labelSelector":{"x-kubernetes-preserve-unknown-fields":true},"storage":{"type":"string"},"storageClass":{"type":"string"}}},"journal":{"type":"object","properties":{"labelSelector":{"x-kubernetes-preserve-unknown-fields":true},"storage":{"type":"string"},"storageClass":{"type":"string"}}},"logs":{"type":"object","properties":{"labelSelector":{"x-kubernetes-preserve-unknown-fields":true},"storage":{"type":"string"},"storageClass":{"type":"string"}}}}},"single":{"type":"object","properties":{"labelSelector":{"x-kubernetes-preserve-unknown-fields":true},"storage":{"type":"string"},"storageClass":{"type":"string"}}}}},"resourceRequirements":{"description":"Configure resource requests and limits for the MongoDB Search pods.","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis is an alpha field and requires enabling the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"description":"Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"security":{"description":"Configure security settings of the MongoDB Search server that MongoDB database is connecting to when performing search queries.","type":"object","properties":{"tls":{"type":"object","required":["certificateKeySecretRef"],"properties":{"certificateKeySecretRef":{"description":"CertificateKeySecret is a reference to a Secret containing a private key and certificate to use for TLS.\nThe key and cert are expected to be PEM encoded and available at \"tls.key\" and \"tls.crt\".\nThis is the same format used for the standard \"kubernetes.io/tls\" Secret type, but no specific type is required.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"source":{"description":"MongoDB database connection details from which MongoDB Search will synchronize data to build indexes.","type":"object","properties":{"external":{"type":"object","properties":{"hostAndPorts":{"type":"array","items":{"type":"string"}},"keyfileSecretRef":{"description":"mongod keyfile used to connect to the external MongoDB deployment","type":"object","required":["name"],"properties":{"key":{"type":"string"},"name":{"type":"string"}}},"tls":{"description":"TLS configuration for the external MongoDB deployment","type":"object","required":["ca"],"properties":{"ca":{"description":"CA is a reference to a Secret containing the CA certificate that issued mongod's TLS certificate.\nThe CA certificate is expected to be PEM encoded and available at the \"ca.crt\" key.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"mongodbResourceRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"namespace":{"type":"string"}}},"passwordSecretRef":{"description":"SecretKeyRef is a reference to a value in a given secret in the same\nnamespace. Based on:\nhttps://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#secretkeyselector-v1-core","type":"object","required":["name"],"properties":{"key":{"type":"string"},"name":{"type":"string"}}},"username":{"type":"string"}}},"statefulSet":{"description":"StatefulSetSpec which the operator will apply to the MongoDB Search StatefulSet at the end of the reconcile loop. Use to provide necessary customizations,\nwhich aren't exposed as fields in the MongoDBSearch.spec.","type":"object","required":["spec"],"properties":{"metadata":{"description":"StatefulSetMetadataWrapper is a wrapper around Labels and Annotations","type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"spec":{"x-kubernetes-preserve-unknown-fields":true}}},"version":{"description":"Optional version of MongoDB Search component (mongot). If not set, then the operator will set the most appropriate version of MongoDB Search.","type":"string"}}},"status":{"type":"object","required":["phase"],"properties":{"lastTransition":{"type":"string"},"message":{"type":"string"},"observedGeneration":{"type":"integer","format":"int64"},"phase":{"type":"string"},"pvc":{"type":"array","items":{"type":"object","required":["phase","statefulsetName"],"properties":{"phase":{"type":"string"},"statefulsetName":{"type":"string"}}}},"resourcesNotReady":{"type":"array","items":{"description":"ResourceNotReady describes the dependent resource which is not ready yet","type":"object","required":["kind","name"],"properties":{"errors":{"type":"array","items":{"type":"object","properties":{"message":{"type":"string"},"reason":{"type":"string"}}}},"kind":{"description":"ResourceKind specifies a kind of a Kubernetes resource. Used in status of a Custom Resource","type":"string"},"message":{"type":"string"},"name":{"type":"string"}}}},"version":{"type":"string"},"warnings":{"type":"array","items":{"type":"string"}}}}},"x-kubernetes-group-version-kind":[{"group":"mongodb.com","kind":"MongoDBSearch","version":"v1"}],"title":"com.mongodb.v1.MongoDBSearch"},"com.mongodb.v1.MongoDBSearchList":{"description":"MongoDBSearchList is a list of MongoDBSearch","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of mongodbsearch. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.mongodb.v1.MongoDBSearch"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"mongodb.com","kind":"MongoDBSearchList","version":"v1"}],"title":"com.mongodb.v1.MongoDBSearchList"},"com.mongodb.v1.MongoDBUser":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["db","username"],"properties":{"connectionStringSecretName":{"type":"string"},"db":{"type":"string"},"mongodbResourceRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"namespace":{"type":"string"}}},"passwordSecretKeyRef":{"description":"SecretKeyRef is a reference to a value in a given secret in the same\nnamespace. Based on:\nhttps://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#secretkeyselector-v1-core","type":"object","required":["name"],"properties":{"key":{"type":"string"},"name":{"type":"string"}}},"roles":{"type":"array","items":{"type":"object","required":["db","name"],"properties":{"db":{"type":"string"},"name":{"type":"string"}}}},"username":{"type":"string"}}},"status":{"type":"object","required":["db","phase","project","username"],"properties":{"db":{"type":"string"},"lastTransition":{"type":"string"},"message":{"type":"string"},"observedGeneration":{"type":"integer","format":"int64"},"phase":{"type":"string"},"project":{"type":"string"},"pvc":{"type":"array","items":{"type":"object","required":["phase","statefulsetName"],"properties":{"phase":{"type":"string"},"statefulsetName":{"type":"string"}}}},"resourcesNotReady":{"type":"array","items":{"description":"ResourceNotReady describes the dependent resource which is not ready yet","type":"object","required":["kind","name"],"properties":{"errors":{"type":"array","items":{"type":"object","properties":{"message":{"type":"string"},"reason":{"type":"string"}}}},"kind":{"description":"ResourceKind specifies a kind of a Kubernetes resource. Used in status of a Custom Resource","type":"string"},"message":{"type":"string"},"name":{"type":"string"}}}},"roles":{"type":"array","items":{"type":"object","required":["db","name"],"properties":{"db":{"type":"string"},"name":{"type":"string"}}}},"username":{"type":"string"},"warnings":{"type":"array","items":{"type":"string"}}}}},"x-kubernetes-group-version-kind":[{"group":"mongodb.com","kind":"MongoDBUser","version":"v1"}],"title":"com.mongodb.v1.MongoDBUser"},"com.mongodb.v1.MongoDBUserList":{"description":"MongoDBUserList is a list of MongoDBUser","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of mongodbusers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.mongodb.v1.MongoDBUser"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"mongodb.com","kind":"MongoDBUserList","version":"v1"}],"title":"com.mongodb.v1.MongoDBUserList"},"com.stakater.forecastle.v1alpha1.ForecastleApp":{"type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["name","group","icon"],"properties":{"group":{"type":"string"},"icon":{"type":"string"},"instance":{"type":"string"},"name":{"type":"string"},"networkRestricted":{"type":"boolean"},"properties":{"type":"object","additionalProperties":{"type":"string"}},"url":{"type":"string"},"urlFrom":{"type":"object","properties":{"httpRouteRef":{"type":"object","properties":{"name":{"type":"string"}}},"ingressRef":{"type":"object","properties":{"name":{"type":"string"}}},"ingressRouteRef":{"type":"object","properties":{"name":{"type":"string"}}},"routeRef":{"type":"object","properties":{"name":{"type":"string"}}}}}}},"status":{"type":"object"}},"x-kubernetes-group-version-kind":[{"group":"forecastle.stakater.com","kind":"ForecastleApp","version":"v1alpha1"}],"title":"com.stakater.forecastle.v1alpha1.ForecastleApp"},"com.stakater.forecastle.v1alpha1.ForecastleAppList":{"description":"ForecastleAppList is a list of ForecastleApp","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of forecastleapps. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/com.stakater.forecastle.v1alpha1.ForecastleApp"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"forecastle.stakater.com","kind":"ForecastleAppList","version":"v1alpha1"}],"title":"com.stakater.forecastle.v1alpha1.ForecastleAppList"},"io.argoproj.v1alpha1.AppProject":{"description":"AppProject provides a logical grouping of applications, providing controls for:\n* where the apps may deploy to (cluster whitelist)\n* what may be deployed (repository whitelist, resource whitelist/blacklist)\n* who can access these applications (roles, OIDC group claims bindings)\n* and what they can do (RBAC policies)\n* automation access to these roles (JWT tokens)","type":"object","required":["metadata","spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"AppProjectSpec is the specification of an AppProject","type":"object","properties":{"clusterResourceBlacklist":{"description":"ClusterResourceBlacklist contains list of blacklisted cluster level resources","type":"array","items":{"description":"ClusterResourceRestrictionItem is a cluster resource that is restricted by the project's whitelist or blacklist","type":"object","required":["group","kind"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"description":"Name is the name of the restricted resource. Glob patterns using Go's filepath.Match syntax are supported.\nUnlike the group and kind fields, if no name is specified, all resources of the specified group/kind are matched.","type":"string"}}}},"clusterResourceWhitelist":{"description":"ClusterResourceWhitelist contains list of whitelisted cluster level resources","type":"array","items":{"description":"ClusterResourceRestrictionItem is a cluster resource that is restricted by the project's whitelist or blacklist","type":"object","required":["group","kind"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"description":"Name is the name of the restricted resource. Glob patterns using Go's filepath.Match syntax are supported.\nUnlike the group and kind fields, if no name is specified, all resources of the specified group/kind are matched.","type":"string"}}}},"description":{"description":"Description contains optional project description","type":"string","maxLength":255},"destinationServiceAccounts":{"description":"DestinationServiceAccounts holds information about the service accounts to be impersonated for the application sync operation for each destination.","type":"array","items":{"description":"ApplicationDestinationServiceAccount holds information about the service account to be impersonated for the application sync operation.","type":"object","required":["defaultServiceAccount","server"],"properties":{"defaultServiceAccount":{"description":"DefaultServiceAccount to be used for impersonation during the sync operation","type":"string"},"namespace":{"description":"Namespace specifies the target namespace for the application's resources.","type":"string"},"server":{"description":"Server specifies the URL of the target cluster's Kubernetes control plane API.","type":"string"}}}},"destinations":{"description":"Destinations contains list of destinations available for deployment","type":"array","items":{"description":"ApplicationDestination holds information about the application's destination","type":"object","properties":{"name":{"description":"Name is an alternate way of specifying the target cluster by its symbolic name. This must be set if Server is not set.","type":"string"},"namespace":{"description":"Namespace specifies the target namespace for the application's resources.\nThe namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace","type":"string"},"server":{"description":"Server specifies the URL of the target cluster's Kubernetes control plane API. This must be set if Name is not set.","type":"string"}}}},"namespaceResourceBlacklist":{"description":"NamespaceResourceBlacklist contains list of blacklisted namespace level resources","type":"array","items":{"description":"GroupKind specifies a Group and a Kind, but does not force a version.  This is useful for identifying\nconcepts during lookup stages without having partially valid types","type":"object","required":["group","kind"],"properties":{"group":{"type":"string"},"kind":{"type":"string"}}}},"namespaceResourceWhitelist":{"description":"NamespaceResourceWhitelist contains list of whitelisted namespace level resources","type":"array","items":{"description":"GroupKind specifies a Group and a Kind, but does not force a version.  This is useful for identifying\nconcepts during lookup stages without having partially valid types","type":"object","required":["group","kind"],"properties":{"group":{"type":"string"},"kind":{"type":"string"}}}},"orphanedResources":{"description":"OrphanedResources specifies if controller should monitor orphaned resources of apps in this project","type":"object","properties":{"ignore":{"description":"Ignore contains a list of resources that are to be excluded from orphaned resources monitoring","type":"array","items":{"description":"OrphanedResourceKey is a reference to a resource to be ignored from","type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}}}},"warn":{"description":"Warn indicates if warning condition should be created for apps which have orphaned resources","type":"boolean"}}},"permitOnlyProjectScopedClusters":{"description":"PermitOnlyProjectScopedClusters determines whether destinations can only reference clusters which are project-scoped","type":"boolean"},"roles":{"description":"Roles are user defined RBAC roles associated with this project","type":"array","items":{"description":"ProjectRole represents a role that has access to a project","type":"object","required":["name"],"properties":{"description":{"description":"Description is a description of the role","type":"string"},"groups":{"description":"Groups are a list of OIDC group claims bound to this role","type":"array","items":{"type":"string"}},"jwtTokens":{"description":"JWTTokens are a list of generated JWT tokens bound to this role","type":"array","items":{"description":"JWTToken holds the issuedAt and expiresAt values of a token","type":"object","required":["iat"],"properties":{"exp":{"type":"integer","format":"int64"},"iat":{"type":"integer","format":"int64"},"id":{"type":"string"}}}},"name":{"description":"Name is a name for this role","type":"string"},"policies":{"description":"Policies Stores a list of casbin formatted strings that define access policies for the role in the project","type":"array","items":{"type":"string"}}}}},"signatureKeys":{"description":"SignatureKeys contains a list of PGP key IDs that commits in Git must be signed with in order to be allowed for sync","type":"array","items":{"description":"SignatureKey is the specification of a key required to verify commit signatures with","type":"object","required":["keyID"],"properties":{"keyID":{"description":"The ID of the key in hexadecimal notation","type":"string"}}}},"sourceNamespaces":{"description":"SourceNamespaces defines the namespaces application resources are allowed to be created in","type":"array","items":{"type":"string"}},"sourceRepos":{"description":"SourceRepos contains list of repository URLs which can be used for deployment","type":"array","items":{"type":"string"}},"syncWindows":{"description":"SyncWindows controls when syncs can be run for apps in this project","type":"array","items":{"description":"SyncWindow contains the kind, time, duration and attributes that are used to assign the syncWindows to apps","type":"object","properties":{"andOperator":{"description":"UseAndOperator use AND operator for matching applications, namespaces and clusters instead of the default OR operator","type":"boolean"},"applications":{"description":"Applications contains a list of applications that the window will apply to","type":"array","items":{"type":"string"}},"clusters":{"description":"Clusters contains a list of clusters that the window will apply to","type":"array","items":{"type":"string"}},"description":{"description":"Description of the sync that will be applied to the schedule, can be used to add any information such as a ticket number for example","type":"string"},"duration":{"description":"Duration is the amount of time the sync window will be open","type":"string"},"kind":{"description":"Kind defines if the window allows or blocks syncs","type":"string"},"manualSync":{"description":"ManualSync enables manual syncs when they would otherwise be blocked","type":"boolean"},"namespaces":{"description":"Namespaces contains a list of namespaces that the window will apply to","type":"array","items":{"type":"string"}},"schedule":{"description":"Schedule is the time the window will begin, specified in cron format","type":"string"},"timeZone":{"description":"TimeZone of the sync that will be applied to the schedule","type":"string"}}}}}},"status":{"description":"AppProjectStatus contains status information for AppProject CRs","type":"object","properties":{"jwtTokensByRole":{"description":"JWTTokensByRole contains a list of JWT tokens issued for a given role","type":"object","additionalProperties":{"description":"JWTTokens represents a list of JWT tokens","type":"object","properties":{"items":{"type":"array","items":{"description":"JWTToken holds the issuedAt and expiresAt values of a token","type":"object","required":["iat"],"properties":{"exp":{"type":"integer","format":"int64"},"iat":{"type":"integer","format":"int64"},"id":{"type":"string"}}}}}}}}}},"x-kubernetes-group-version-kind":[{"group":"argoproj.io","kind":"AppProject","version":"v1alpha1"}],"title":"io.argoproj.v1alpha1.AppProject"},"io.argoproj.v1alpha1.AppProjectList":{"description":"AppProjectList is a list of AppProject","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of appprojects. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.argoproj.v1alpha1.AppProject"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"argoproj.io","kind":"AppProjectList","version":"v1alpha1"}],"title":"io.argoproj.v1alpha1.AppProjectList"},"io.argoproj.v1alpha1.Application":{"description":"Application is a definition of Application resource.","type":"object","required":["metadata","spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"operation":{"description":"Operation contains information about a requested or running operation","type":"object","properties":{"info":{"description":"Info is a list of informational items for this operation","type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"initiatedBy":{"description":"InitiatedBy contains information about who initiated the operations","type":"object","properties":{"automated":{"description":"Automated is set to true if operation was initiated automatically by the application controller.","type":"boolean"},"username":{"description":"Username contains the name of a user who started operation","type":"string"}}},"retry":{"description":"Retry controls the strategy to apply if a sync fails","type":"object","properties":{"backoff":{"description":"Backoff controls how to backoff on subsequent retries of failed syncs","type":"object","properties":{"duration":{"description":"Duration is the amount to back off. Default unit is seconds, but could also be a duration (e.g. \"2m\", \"1h\")","type":"string"},"factor":{"description":"Factor is a factor to multiply the base duration after each failed retry","type":"integer","format":"int64"},"maxDuration":{"description":"MaxDuration is the maximum amount of time allowed for the backoff strategy","type":"string"}}},"limit":{"description":"Limit is the maximum number of attempts for retrying a failed sync. If set to 0, no retries will be performed.","type":"integer","format":"int64"},"refresh":{"description":"Refresh indicates if the latest revision should be used on retry instead of the initial one (default: false)","type":"boolean"}}},"sync":{"description":"Sync contains parameters for the operation","type":"object","properties":{"autoHealAttemptsCount":{"description":"SelfHealAttemptsCount contains the number of auto-heal attempts","type":"integer","format":"int64"},"dryRun":{"description":"DryRun specifies to perform a `kubectl apply --dry-run` without actually performing the sync","type":"boolean"},"manifests":{"description":"Manifests is an optional field that overrides sync source with a local directory for development","type":"array","items":{"type":"string"}},"prune":{"description":"Prune specifies to delete resources from the cluster that are no longer tracked in git","type":"boolean"},"resources":{"description":"Resources describes which resources shall be part of the sync","type":"array","items":{"description":"SyncOperationResource contains resources to sync.","type":"object","required":["kind","name"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}}},"revision":{"description":"Revision is the revision (Git) or chart version (Helm) which to sync the application to\nIf omitted, will use the revision specified in app spec.","type":"string"},"revisions":{"description":"Revisions is the list of revision (Git) or chart version (Helm) which to sync each source in sources field for the application to\nIf omitted, will use the revision specified in app spec.","type":"array","items":{"type":"string"}},"source":{"description":"Source overrides the source definition set in the application.\nThis is typically set in a Rollback operation and is nil during a Sync operation","type":"object","required":["repoURL"],"properties":{"chart":{"description":"Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo.","type":"string"},"directory":{"description":"Directory holds path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm holds helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize holds kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"name":{"description":"Name is used to refer to a source and is displayed in the UI. It is used in multi-source Applications.","type":"string"},"path":{"description":"Path is a directory path within the Git repository, and is only valid for applications sourced from Git.","type":"string"},"plugin":{"description":"Plugin holds config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"ref":{"description":"Ref is reference to another source within sources field. This field will not be used if used with a `source` tag.","type":"string"},"repoURL":{"description":"RepoURL is the URL to the repository (Git or Helm) that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to sync the application to.\nIn case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD.\nIn case of Helm, this is a semver tag for the Chart's version.","type":"string"}}},"sources":{"description":"Sources overrides the source definition set in the application.\nThis is typically set in a Rollback operation and is nil during a Sync operation","type":"array","items":{"description":"ApplicationSource contains all required information about the source of an application","type":"object","required":["repoURL"],"properties":{"chart":{"description":"Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo.","type":"string"},"directory":{"description":"Directory holds path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm holds helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize holds kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"name":{"description":"Name is used to refer to a source and is displayed in the UI. It is used in multi-source Applications.","type":"string"},"path":{"description":"Path is a directory path within the Git repository, and is only valid for applications sourced from Git.","type":"string"},"plugin":{"description":"Plugin holds config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"ref":{"description":"Ref is reference to another source within sources field. This field will not be used if used with a `source` tag.","type":"string"},"repoURL":{"description":"RepoURL is the URL to the repository (Git or Helm) that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to sync the application to.\nIn case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD.\nIn case of Helm, this is a semver tag for the Chart's version.","type":"string"}}}},"syncOptions":{"description":"SyncOptions provide per-sync sync-options, e.g. Validate=false","type":"array","items":{"type":"string"}},"syncStrategy":{"description":"SyncStrategy describes how to perform the sync","type":"object","properties":{"apply":{"description":"Apply will perform a `kubectl apply` to perform the sync.","type":"object","properties":{"force":{"description":"Force indicates whether or not to supply the --force flag to `kubectl apply`.\nThe --force flag deletes and re-create the resource, when PATCH encounters conflict and has\nretried for 5 times.","type":"boolean"}}},"hook":{"description":"Hook will submit any referenced resources to perform the sync. This is the default strategy","type":"object","properties":{"force":{"description":"Force indicates whether or not to supply the --force flag to `kubectl apply`.\nThe --force flag deletes and re-create the resource, when PATCH encounters conflict and has\nretried for 5 times.","type":"boolean"}}}}}}}}},"spec":{"description":"ApplicationSpec represents desired application state. Contains link to repository with application definition and additional parameters link definition revision.","type":"object","required":["destination","project"],"properties":{"destination":{"description":"Destination is a reference to the target Kubernetes server and namespace","type":"object","properties":{"name":{"description":"Name is an alternate way of specifying the target cluster by its symbolic name. This must be set if Server is not set.","type":"string"},"namespace":{"description":"Namespace specifies the target namespace for the application's resources.\nThe namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace","type":"string"},"server":{"description":"Server specifies the URL of the target cluster's Kubernetes control plane API. This must be set if Name is not set.","type":"string"}}},"ignoreDifferences":{"description":"IgnoreDifferences is a list of resources and their fields which should be ignored during comparison","type":"array","items":{"description":"ResourceIgnoreDifferences contains resource filter and list of json paths which should be ignored during comparison with live state.","type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"description":"ManagedFieldsManagers is a list of trusted managers. Fields mutated by those managers will take precedence over the\ndesired state defined in the SCM and won't be displayed in diffs","type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"description":"Info contains a list of information (URLs, email addresses, and plain text) that relates to the application","type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"description":"Project is a reference to the project this application belongs to.\nThe empty string means that application belongs to the 'default' project.","type":"string"},"revisionHistoryLimit":{"description":"RevisionHistoryLimit limits the number of items kept in the application's revision history, which is used for informational purposes as well as for rollbacks to previous versions.\nThis should only be changed in exceptional circumstances.\nSetting to zero will store no history. This will reduce storage used.\nIncreasing will increase the space used to store the history, so we do not recommend increasing it.\nDefault is 10.","type":"integer","format":"int64"},"source":{"description":"Source is a reference to the location of the application's manifests or chart","type":"object","required":["repoURL"],"properties":{"chart":{"description":"Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo.","type":"string"},"directory":{"description":"Directory holds path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm holds helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize holds kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"name":{"description":"Name is used to refer to a source and is displayed in the UI. It is used in multi-source Applications.","type":"string"},"path":{"description":"Path is a directory path within the Git repository, and is only valid for applications sourced from Git.","type":"string"},"plugin":{"description":"Plugin holds config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"ref":{"description":"Ref is reference to another source within sources field. This field will not be used if used with a `source` tag.","type":"string"},"repoURL":{"description":"RepoURL is the URL to the repository (Git or Helm) that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to sync the application to.\nIn case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD.\nIn case of Helm, this is a semver tag for the Chart's version.","type":"string"}}},"sourceHydrator":{"description":"SourceHydrator provides a way to push hydrated manifests back to git before syncing them to the cluster.","type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"description":"DrySource specifies where the dry \"don't repeat yourself\" manifest source lives.","type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"description":"Directory specifies path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm specifies helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize specifies kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"path":{"description":"Path is a directory path within the Git repository where the manifests are located","type":"string"},"plugin":{"description":"Plugin specifies config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"repoURL":{"description":"RepoURL is the URL to the git repository that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to hydrate","type":"string"}}},"hydrateTo":{"description":"HydrateTo specifies an optional \"staging\" location to push hydrated manifests to. An external system would then\nhave to move manifests to the SyncSource, e.g. by pull request.","type":"object","required":["targetBranch"],"properties":{"targetBranch":{"description":"TargetBranch is the branch to which hydrated manifests should be committed","type":"string"}}},"syncSource":{"description":"SyncSource specifies where to sync hydrated manifests from.","type":"object","required":["path","targetBranch"],"properties":{"path":{"description":"Path is a directory path within the git repository where hydrated manifests should be committed to and synced\nfrom. The Path should never point to the root of the repo. If hydrateTo is set, this is just the path from which\nhydrated manifests will be synced.","type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"description":"TargetBranch is the branch from which hydrated manifests will be synced.\nIf HydrateTo is not set, this is also the branch to which hydrated manifests are committed.","type":"string"}}}}},"sources":{"description":"Sources is a reference to the location of the application's manifests or chart","type":"array","items":{"description":"ApplicationSource contains all required information about the source of an application","type":"object","required":["repoURL"],"properties":{"chart":{"description":"Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo.","type":"string"},"directory":{"description":"Directory holds path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm holds helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize holds kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"name":{"description":"Name is used to refer to a source and is displayed in the UI. It is used in multi-source Applications.","type":"string"},"path":{"description":"Path is a directory path within the Git repository, and is only valid for applications sourced from Git.","type":"string"},"plugin":{"description":"Plugin holds config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"ref":{"description":"Ref is reference to another source within sources field. This field will not be used if used with a `source` tag.","type":"string"},"repoURL":{"description":"RepoURL is the URL to the repository (Git or Helm) that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to sync the application to.\nIn case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD.\nIn case of Helm, this is a semver tag for the Chart's version.","type":"string"}}}},"syncPolicy":{"description":"SyncPolicy controls when and how a sync will be performed","type":"object","properties":{"automated":{"description":"Automated will keep an application synced to the target revision","type":"object","properties":{"allowEmpty":{"description":"AllowEmpty allows apps have zero live resources (default: false)","type":"boolean"},"enabled":{"description":"Enable allows apps to explicitly control automated sync","type":"boolean"},"prune":{"description":"Prune specifies whether to delete resources from the cluster that are not found in the sources anymore as part of automated sync (default: false)","type":"boolean"},"selfHeal":{"description":"SelfHeal specifies whether to revert resources back to their desired state upon modification in the cluster (default: false)","type":"boolean"}}},"managedNamespaceMetadata":{"description":"ManagedNamespaceMetadata controls metadata in the given namespace (if CreateNamespace=true)","type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"description":"Retry controls failed sync retry behavior","type":"object","properties":{"backoff":{"description":"Backoff controls how to backoff on subsequent retries of failed syncs","type":"object","properties":{"duration":{"description":"Duration is the amount to back off. Default unit is seconds, but could also be a duration (e.g. \"2m\", \"1h\")","type":"string"},"factor":{"description":"Factor is a factor to multiply the base duration after each failed retry","type":"integer","format":"int64"},"maxDuration":{"description":"MaxDuration is the maximum amount of time allowed for the backoff strategy","type":"string"}}},"limit":{"description":"Limit is the maximum number of attempts for retrying a failed sync. If set to 0, no retries will be performed.","type":"integer","format":"int64"},"refresh":{"description":"Refresh indicates if the latest revision should be used on retry instead of the initial one (default: false)","type":"boolean"}}},"syncOptions":{"description":"Options allow you to specify whole app sync-options","type":"array","items":{"type":"string"}}}}}},"status":{"description":"ApplicationStatus contains status information for the application","type":"object","properties":{"conditions":{"description":"Conditions is a list of currently observed application conditions","type":"array","items":{"description":"ApplicationCondition contains details about an application condition, which is usually an error or warning","type":"object","required":["message","type"],"properties":{"lastTransitionTime":{"description":"LastTransitionTime is the time the condition was last observed","type":"string","format":"date-time"},"message":{"description":"Message contains human-readable message indicating details about condition","type":"string"},"type":{"description":"Type is an application condition type","type":"string"}}}},"controllerNamespace":{"description":"ControllerNamespace indicates the namespace in which the application controller is located","type":"string"},"health":{"description":"Health contains information about the application's current health status","type":"object","properties":{"lastTransitionTime":{"description":"LastTransitionTime is the time the HealthStatus was set or updated","type":"string","format":"date-time"},"message":{"description":"Message is a human-readable informational message describing the health status\n\nDeprecated: this field is not used and will be removed in a future release.","type":"string"},"status":{"description":"Status holds the status code of the application","type":"string"}}},"history":{"description":"History contains information about the application's sync history","type":"array","items":{"description":"RevisionHistory contains history information about a previous sync","type":"object","required":["deployedAt","id"],"properties":{"deployStartedAt":{"description":"DeployStartedAt holds the time the sync operation started","type":"string","format":"date-time"},"deployedAt":{"description":"DeployedAt holds the time the sync operation completed","type":"string","format":"date-time"},"id":{"description":"ID is an auto incrementing identifier of the RevisionHistory","type":"integer","format":"int64"},"initiatedBy":{"description":"InitiatedBy contains information about who initiated the operations","type":"object","properties":{"automated":{"description":"Automated is set to true if operation was initiated automatically by the application controller.","type":"boolean"},"username":{"description":"Username contains the name of a user who started operation","type":"string"}}},"revision":{"description":"Revision holds the revision the sync was performed against","type":"string"},"revisions":{"description":"Revisions holds the revision of each source in sources field the sync was performed against","type":"array","items":{"type":"string"}},"source":{"description":"Source is a reference to the application source used for the sync operation","type":"object","required":["repoURL"],"properties":{"chart":{"description":"Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo.","type":"string"},"directory":{"description":"Directory holds path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm holds helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize holds kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"name":{"description":"Name is used to refer to a source and is displayed in the UI. It is used in multi-source Applications.","type":"string"},"path":{"description":"Path is a directory path within the Git repository, and is only valid for applications sourced from Git.","type":"string"},"plugin":{"description":"Plugin holds config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"ref":{"description":"Ref is reference to another source within sources field. This field will not be used if used with a `source` tag.","type":"string"},"repoURL":{"description":"RepoURL is the URL to the repository (Git or Helm) that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to sync the application to.\nIn case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD.\nIn case of Helm, this is a semver tag for the Chart's version.","type":"string"}}},"sources":{"description":"Sources is a reference to the application sources used for the sync operation","type":"array","items":{"description":"ApplicationSource contains all required information about the source of an application","type":"object","required":["repoURL"],"properties":{"chart":{"description":"Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo.","type":"string"},"directory":{"description":"Directory holds path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm holds helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize holds kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"name":{"description":"Name is used to refer to a source and is displayed in the UI. It is used in multi-source Applications.","type":"string"},"path":{"description":"Path is a directory path within the Git repository, and is only valid for applications sourced from Git.","type":"string"},"plugin":{"description":"Plugin holds config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"ref":{"description":"Ref is reference to another source within sources field. This field will not be used if used with a `source` tag.","type":"string"},"repoURL":{"description":"RepoURL is the URL to the repository (Git or Helm) that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to sync the application to.\nIn case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD.\nIn case of Helm, this is a semver tag for the Chart's version.","type":"string"}}}}}}},"observedAt":{"description":"ObservedAt indicates when the application state was updated without querying latest git state\nDeprecated: controller no longer updates ObservedAt field","type":"string","format":"date-time"},"operationState":{"description":"OperationState contains information about any ongoing operations, such as a sync","type":"object","required":["operation","phase","startedAt"],"properties":{"finishedAt":{"description":"FinishedAt contains time of operation completion","type":"string","format":"date-time"},"message":{"description":"Message holds any pertinent messages when attempting to perform operation (typically errors).","type":"string"},"operation":{"description":"Operation is the original requested operation","type":"object","properties":{"info":{"description":"Info is a list of informational items for this operation","type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"initiatedBy":{"description":"InitiatedBy contains information about who initiated the operations","type":"object","properties":{"automated":{"description":"Automated is set to true if operation was initiated automatically by the application controller.","type":"boolean"},"username":{"description":"Username contains the name of a user who started operation","type":"string"}}},"retry":{"description":"Retry controls the strategy to apply if a sync fails","type":"object","properties":{"backoff":{"description":"Backoff controls how to backoff on subsequent retries of failed syncs","type":"object","properties":{"duration":{"description":"Duration is the amount to back off. Default unit is seconds, but could also be a duration (e.g. \"2m\", \"1h\")","type":"string"},"factor":{"description":"Factor is a factor to multiply the base duration after each failed retry","type":"integer","format":"int64"},"maxDuration":{"description":"MaxDuration is the maximum amount of time allowed for the backoff strategy","type":"string"}}},"limit":{"description":"Limit is the maximum number of attempts for retrying a failed sync. If set to 0, no retries will be performed.","type":"integer","format":"int64"},"refresh":{"description":"Refresh indicates if the latest revision should be used on retry instead of the initial one (default: false)","type":"boolean"}}},"sync":{"description":"Sync contains parameters for the operation","type":"object","properties":{"autoHealAttemptsCount":{"description":"SelfHealAttemptsCount contains the number of auto-heal attempts","type":"integer","format":"int64"},"dryRun":{"description":"DryRun specifies to perform a `kubectl apply --dry-run` without actually performing the sync","type":"boolean"},"manifests":{"description":"Manifests is an optional field that overrides sync source with a local directory for development","type":"array","items":{"type":"string"}},"prune":{"description":"Prune specifies to delete resources from the cluster that are no longer tracked in git","type":"boolean"},"resources":{"description":"Resources describes which resources shall be part of the sync","type":"array","items":{"description":"SyncOperationResource contains resources to sync.","type":"object","required":["kind","name"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}}},"revision":{"description":"Revision is the revision (Git) or chart version (Helm) which to sync the application to\nIf omitted, will use the revision specified in app spec.","type":"string"},"revisions":{"description":"Revisions is the list of revision (Git) or chart version (Helm) which to sync each source in sources field for the application to\nIf omitted, will use the revision specified in app spec.","type":"array","items":{"type":"string"}},"source":{"description":"Source overrides the source definition set in the application.\nThis is typically set in a Rollback operation and is nil during a Sync operation","type":"object","required":["repoURL"],"properties":{"chart":{"description":"Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo.","type":"string"},"directory":{"description":"Directory holds path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm holds helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize holds kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"name":{"description":"Name is used to refer to a source and is displayed in the UI. It is used in multi-source Applications.","type":"string"},"path":{"description":"Path is a directory path within the Git repository, and is only valid for applications sourced from Git.","type":"string"},"plugin":{"description":"Plugin holds config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"ref":{"description":"Ref is reference to another source within sources field. This field will not be used if used with a `source` tag.","type":"string"},"repoURL":{"description":"RepoURL is the URL to the repository (Git or Helm) that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to sync the application to.\nIn case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD.\nIn case of Helm, this is a semver tag for the Chart's version.","type":"string"}}},"sources":{"description":"Sources overrides the source definition set in the application.\nThis is typically set in a Rollback operation and is nil during a Sync operation","type":"array","items":{"description":"ApplicationSource contains all required information about the source of an application","type":"object","required":["repoURL"],"properties":{"chart":{"description":"Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo.","type":"string"},"directory":{"description":"Directory holds path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm holds helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize holds kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"name":{"description":"Name is used to refer to a source and is displayed in the UI. It is used in multi-source Applications.","type":"string"},"path":{"description":"Path is a directory path within the Git repository, and is only valid for applications sourced from Git.","type":"string"},"plugin":{"description":"Plugin holds config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"ref":{"description":"Ref is reference to another source within sources field. This field will not be used if used with a `source` tag.","type":"string"},"repoURL":{"description":"RepoURL is the URL to the repository (Git or Helm) that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to sync the application to.\nIn case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD.\nIn case of Helm, this is a semver tag for the Chart's version.","type":"string"}}}},"syncOptions":{"description":"SyncOptions provide per-sync sync-options, e.g. Validate=false","type":"array","items":{"type":"string"}},"syncStrategy":{"description":"SyncStrategy describes how to perform the sync","type":"object","properties":{"apply":{"description":"Apply will perform a `kubectl apply` to perform the sync.","type":"object","properties":{"force":{"description":"Force indicates whether or not to supply the --force flag to `kubectl apply`.\nThe --force flag deletes and re-create the resource, when PATCH encounters conflict and has\nretried for 5 times.","type":"boolean"}}},"hook":{"description":"Hook will submit any referenced resources to perform the sync. This is the default strategy","type":"object","properties":{"force":{"description":"Force indicates whether or not to supply the --force flag to `kubectl apply`.\nThe --force flag deletes and re-create the resource, when PATCH encounters conflict and has\nretried for 5 times.","type":"boolean"}}}}}}}}},"phase":{"description":"Phase is the current phase of the operation","type":"string"},"retryCount":{"description":"RetryCount contains time of operation retries","type":"integer","format":"int64"},"startedAt":{"description":"StartedAt contains time of operation start","type":"string","format":"date-time"},"syncResult":{"description":"SyncResult is the result of a Sync operation","type":"object","required":["revision"],"properties":{"managedNamespaceMetadata":{"description":"ManagedNamespaceMetadata contains the current sync state of managed namespace metadata","type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"resources":{"description":"Resources contains a list of sync result items for each individual resource in a sync operation","type":"array","items":{"description":"ResourceResult holds the operation result details of a specific resource","type":"object","required":["group","kind","name","namespace","version"],"properties":{"group":{"description":"Group specifies the API group of the resource","type":"string"},"hookPhase":{"description":"HookPhase contains the state of any operation associated with this resource OR hook\nThis can also contain values for non-hook resources.","type":"string"},"hookType":{"description":"HookType specifies the type of the hook. Empty for non-hook resources","type":"string"},"images":{"description":"Images contains the images related to the ResourceResult","type":"array","items":{"type":"string"}},"kind":{"description":"Kind specifies the API kind of the resource","type":"string"},"message":{"description":"Message contains an informational or error message for the last sync OR operation","type":"string"},"name":{"description":"Name specifies the name of the resource","type":"string"},"namespace":{"description":"Namespace specifies the target namespace of the resource","type":"string"},"status":{"description":"Status holds the final result of the sync. Will be empty if the resources is yet to be applied/pruned and is always zero-value for hooks","type":"string"},"syncPhase":{"description":"SyncPhase indicates the particular phase of the sync that this result was acquired in","type":"string"},"version":{"description":"Version specifies the API version of the resource","type":"string"}}}},"revision":{"description":"Revision holds the revision this sync operation was performed to","type":"string"},"revisions":{"description":"Revisions holds the revision this sync operation was performed for respective indexed source in sources field","type":"array","items":{"type":"string"}},"source":{"description":"Source records the application source information of the sync, used for comparing auto-sync","type":"object","required":["repoURL"],"properties":{"chart":{"description":"Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo.","type":"string"},"directory":{"description":"Directory holds path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm holds helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize holds kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"name":{"description":"Name is used to refer to a source and is displayed in the UI. It is used in multi-source Applications.","type":"string"},"path":{"description":"Path is a directory path within the Git repository, and is only valid for applications sourced from Git.","type":"string"},"plugin":{"description":"Plugin holds config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"ref":{"description":"Ref is reference to another source within sources field. This field will not be used if used with a `source` tag.","type":"string"},"repoURL":{"description":"RepoURL is the URL to the repository (Git or Helm) that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to sync the application to.\nIn case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD.\nIn case of Helm, this is a semver tag for the Chart's version.","type":"string"}}},"sources":{"description":"Source records the application source information of the sync, used for comparing auto-sync","type":"array","items":{"description":"ApplicationSource contains all required information about the source of an application","type":"object","required":["repoURL"],"properties":{"chart":{"description":"Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo.","type":"string"},"directory":{"description":"Directory holds path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm holds helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize holds kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"name":{"description":"Name is used to refer to a source and is displayed in the UI. It is used in multi-source Applications.","type":"string"},"path":{"description":"Path is a directory path within the Git repository, and is only valid for applications sourced from Git.","type":"string"},"plugin":{"description":"Plugin holds config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"ref":{"description":"Ref is reference to another source within sources field. This field will not be used if used with a `source` tag.","type":"string"},"repoURL":{"description":"RepoURL is the URL to the repository (Git or Helm) that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to sync the application to.\nIn case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD.\nIn case of Helm, this is a semver tag for the Chart's version.","type":"string"}}}}}}}},"reconciledAt":{"description":"ReconciledAt indicates when the application state was reconciled using the latest git version","type":"string","format":"date-time"},"resourceHealthSource":{"description":"ResourceHealthSource indicates where the resource health status is stored: inline if not set or appTree","type":"string"},"resources":{"description":"Resources is a list of Kubernetes resources managed by this application","type":"array","items":{"description":"ResourceStatus holds the current synchronization and health status of a Kubernetes resource.","type":"object","properties":{"group":{"description":"Group represents the API group of the resource (e.g., \"apps\" for Deployments).","type":"string"},"health":{"description":"Health indicates the health status of the resource (e.g., Healthy, Degraded, Progressing).","type":"object","properties":{"lastTransitionTime":{"description":"LastTransitionTime is the time the HealthStatus was set or updated\n\nDeprecated: this field is not used and will be removed in a future release.","type":"string","format":"date-time"},"message":{"description":"Message is a human-readable informational message describing the health status","type":"string"},"status":{"description":"Status holds the status code of the resource","type":"string"}}},"hook":{"description":"Hook is true if the resource is used as a lifecycle hook in an Argo CD application.","type":"boolean"},"kind":{"description":"Kind specifies the type of the resource (e.g., \"Deployment\", \"Service\").","type":"string"},"name":{"description":"Name is the unique name of the resource within the namespace.","type":"string"},"namespace":{"description":"Namespace defines the Kubernetes namespace where the resource is located.","type":"string"},"requiresDeletionConfirmation":{"description":"RequiresDeletionConfirmation is true if the resource requires explicit user confirmation before deletion.","type":"boolean"},"requiresPruning":{"description":"RequiresPruning is true if the resource needs to be pruned (deleted) as part of synchronization.","type":"boolean"},"status":{"description":"Status represents the synchronization state of the resource (e.g., Synced, OutOfSync).","type":"string"},"syncWave":{"description":"SyncWave determines the order in which resources are applied during a sync operation.\nLower values are applied first.","type":"integer","format":"int64"},"version":{"description":"Version indicates the API version of the resource (e.g., \"v1\", \"v1beta1\").","type":"string"}}}},"sourceHydrator":{"description":"SourceHydrator stores information about the current state of source hydration","type":"object","properties":{"currentOperation":{"description":"CurrentOperation holds the status of the hydrate operation","type":"object","required":["message","phase"],"properties":{"drySHA":{"description":"DrySHA holds the resolved revision (sha) of the dry source as of the most recent reconciliation","type":"string"},"finishedAt":{"description":"FinishedAt indicates when the hydrate operation finished","type":"string","format":"date-time"},"hydratedSHA":{"description":"HydratedSHA holds the resolved revision (sha) of the hydrated source as of the most recent reconciliation","type":"string"},"message":{"description":"Message contains a message describing the current status of the hydrate operation","type":"string"},"phase":{"description":"Phase indicates the status of the hydrate operation","type":"string","enum":["Hydrating","Failed","Hydrated"]},"sourceHydrator":{"description":"SourceHydrator holds the hydrator config used for the hydrate operation","type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"description":"DrySource specifies where the dry \"don't repeat yourself\" manifest source lives.","type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"description":"Directory specifies path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm specifies helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize specifies kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"path":{"description":"Path is a directory path within the Git repository where the manifests are located","type":"string"},"plugin":{"description":"Plugin specifies config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"repoURL":{"description":"RepoURL is the URL to the git repository that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to hydrate","type":"string"}}},"hydrateTo":{"description":"HydrateTo specifies an optional \"staging\" location to push hydrated manifests to. An external system would then\nhave to move manifests to the SyncSource, e.g. by pull request.","type":"object","required":["targetBranch"],"properties":{"targetBranch":{"description":"TargetBranch is the branch to which hydrated manifests should be committed","type":"string"}}},"syncSource":{"description":"SyncSource specifies where to sync hydrated manifests from.","type":"object","required":["path","targetBranch"],"properties":{"path":{"description":"Path is a directory path within the git repository where hydrated manifests should be committed to and synced\nfrom. The Path should never point to the root of the repo. If hydrateTo is set, this is just the path from which\nhydrated manifests will be synced.","type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"description":"TargetBranch is the branch from which hydrated manifests will be synced.\nIf HydrateTo is not set, this is also the branch to which hydrated manifests are committed.","type":"string"}}}}},"startedAt":{"description":"StartedAt indicates when the hydrate operation started","type":"string","format":"date-time"}}},"lastSuccessfulOperation":{"description":"LastSuccessfulOperation holds info about the most recent successful hydration","type":"object","properties":{"drySHA":{"description":"DrySHA holds the resolved revision (sha) of the dry source as of the most recent reconciliation","type":"string"},"hydratedSHA":{"description":"HydratedSHA holds the resolved revision (sha) of the hydrated source as of the most recent reconciliation","type":"string"},"sourceHydrator":{"description":"SourceHydrator holds the hydrator config used for the hydrate operation","type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"description":"DrySource specifies where the dry \"don't repeat yourself\" manifest source lives.","type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"description":"Directory specifies path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm specifies helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize specifies kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"path":{"description":"Path is a directory path within the Git repository where the manifests are located","type":"string"},"plugin":{"description":"Plugin specifies config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"repoURL":{"description":"RepoURL is the URL to the git repository that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to hydrate","type":"string"}}},"hydrateTo":{"description":"HydrateTo specifies an optional \"staging\" location to push hydrated manifests to. An external system would then\nhave to move manifests to the SyncSource, e.g. by pull request.","type":"object","required":["targetBranch"],"properties":{"targetBranch":{"description":"TargetBranch is the branch to which hydrated manifests should be committed","type":"string"}}},"syncSource":{"description":"SyncSource specifies where to sync hydrated manifests from.","type":"object","required":["path","targetBranch"],"properties":{"path":{"description":"Path is a directory path within the git repository where hydrated manifests should be committed to and synced\nfrom. The Path should never point to the root of the repo. If hydrateTo is set, this is just the path from which\nhydrated manifests will be synced.","type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"description":"TargetBranch is the branch from which hydrated manifests will be synced.\nIf HydrateTo is not set, this is also the branch to which hydrated manifests are committed.","type":"string"}}}}}}}}},"sourceType":{"description":"SourceType specifies the type of this application","type":"string"},"sourceTypes":{"description":"SourceTypes specifies the type of the sources included in the application","type":"array","items":{"description":"ApplicationSourceType specifies the type of the application's source","type":"string"}},"summary":{"description":"Summary contains a list of URLs and container images used by this application","type":"object","properties":{"externalURLs":{"description":"ExternalURLs holds all external URLs of application child resources.","type":"array","items":{"type":"string"}},"images":{"description":"Images holds all images of application child resources.","type":"array","items":{"type":"string"}}}},"sync":{"description":"Sync contains information about the application's current sync status","type":"object","required":["status"],"properties":{"comparedTo":{"description":"ComparedTo contains information about what has been compared","type":"object","required":["destination"],"properties":{"destination":{"description":"Destination is a reference to the application's destination used for comparison","type":"object","properties":{"name":{"description":"Name is an alternate way of specifying the target cluster by its symbolic name. This must be set if Server is not set.","type":"string"},"namespace":{"description":"Namespace specifies the target namespace for the application's resources.\nThe namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace","type":"string"},"server":{"description":"Server specifies the URL of the target cluster's Kubernetes control plane API. This must be set if Name is not set.","type":"string"}}},"ignoreDifferences":{"description":"IgnoreDifferences is a reference to the application's ignored differences used for comparison","type":"array","items":{"description":"ResourceIgnoreDifferences contains resource filter and list of json paths which should be ignored during comparison with live state.","type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"description":"ManagedFieldsManagers is a list of trusted managers. Fields mutated by those managers will take precedence over the\ndesired state defined in the SCM and won't be displayed in diffs","type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"source":{"description":"Source is a reference to the application's source used for comparison","type":"object","required":["repoURL"],"properties":{"chart":{"description":"Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo.","type":"string"},"directory":{"description":"Directory holds path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm holds helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize holds kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"name":{"description":"Name is used to refer to a source and is displayed in the UI. It is used in multi-source Applications.","type":"string"},"path":{"description":"Path is a directory path within the Git repository, and is only valid for applications sourced from Git.","type":"string"},"plugin":{"description":"Plugin holds config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"ref":{"description":"Ref is reference to another source within sources field. This field will not be used if used with a `source` tag.","type":"string"},"repoURL":{"description":"RepoURL is the URL to the repository (Git or Helm) that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to sync the application to.\nIn case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD.\nIn case of Helm, this is a semver tag for the Chart's version.","type":"string"}}},"sources":{"description":"Sources is a reference to the application's multiple sources used for comparison","type":"array","items":{"description":"ApplicationSource contains all required information about the source of an application","type":"object","required":["repoURL"],"properties":{"chart":{"description":"Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo.","type":"string"},"directory":{"description":"Directory holds path/directory specific options","type":"object","properties":{"exclude":{"description":"Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation","type":"string"},"include":{"description":"Include contains a glob pattern to match paths against that should be explicitly included during manifest generation","type":"string"},"jsonnet":{"description":"Jsonnet holds options specific to Jsonnet","type":"object","properties":{"extVars":{"description":"ExtVars is a list of Jsonnet External Variables","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"description":"Additional library search dirs","type":"array","items":{"type":"string"}},"tlas":{"description":"TLAS is a list of Jsonnet Top-level Arguments","type":"array","items":{"description":"JsonnetVar represents a variable to be passed to jsonnet during manifest generation","type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"description":"Recurse specifies whether to scan a directory recursively for manifests","type":"boolean"}}},"helm":{"description":"Helm holds helm specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"fileParameters":{"description":"FileParameters are file parameters to the helm template","type":"array","items":{"description":"HelmFileParameter is a file parameter that's passed to helm template during manifest generation","type":"object","properties":{"name":{"description":"Name is the name of the Helm parameter","type":"string"},"path":{"description":"Path is the path to the file containing the values for the Helm parameter","type":"string"}}}},"ignoreMissingValueFiles":{"description":"IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values","type":"boolean"},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"namespace":{"description":"Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.","type":"string"},"parameters":{"description":"Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation","type":"array","items":{"description":"HelmParameter is a parameter that's passed to helm template during manifest generation","type":"object","properties":{"forceString":{"description":"ForceString determines whether to tell Helm to interpret booleans and numbers as strings","type":"boolean"},"name":{"description":"Name is the name of the Helm parameter","type":"string"},"value":{"description":"Value is the value for the Helm parameter","type":"string"}}}},"passCredentials":{"description":"PassCredentials pass credentials to all domains (Helm's --pass-credentials)","type":"boolean"},"releaseName":{"description":"ReleaseName is the Helm release name to use. If omitted it will use the application name","type":"string"},"skipCrds":{"description":"SkipCrds skips custom resource definition installation step (Helm's --skip-crds)","type":"boolean"},"skipSchemaValidation":{"description":"SkipSchemaValidation skips JSON schema validation (Helm's --skip-schema-validation)","type":"boolean"},"skipTests":{"description":"SkipTests skips test manifest installation step (Helm's --skip-tests).","type":"boolean"},"valueFiles":{"description":"ValuesFiles is a list of Helm value files to use when generating a template","type":"array","items":{"type":"string"}},"values":{"description":"Values specifies Helm values to be passed to helm template, typically defined as a block. ValuesObject takes precedence over Values, so use one or the other.","type":"string"},"valuesObject":{"description":"ValuesObject specifies Helm values to be passed to helm template, defined as a map. This takes precedence over Values.","x-kubernetes-preserve-unknown-fields":true},"version":{"description":"Version is the Helm version to use for templating (\"3\")","type":"string"}}},"kustomize":{"description":"Kustomize holds kustomize specific options","type":"object","properties":{"apiVersions":{"description":"APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.","type":"array","items":{"type":"string"}},"commonAnnotations":{"description":"CommonAnnotations is a list of additional annotations to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"description":"CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values","type":"boolean"},"commonLabels":{"description":"CommonLabels is a list of additional labels to add to rendered manifests","type":"object","additionalProperties":{"type":"string"}},"components":{"description":"Components specifies a list of kustomize components to add to the kustomization before building","type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"description":"ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps","type":"boolean"},"forceCommonLabels":{"description":"ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps","type":"boolean"},"ignoreMissingComponents":{"description":"IgnoreMissingComponents prevents kustomize from failing when components do not exist locally by not appending them to kustomization file","type":"boolean"},"images":{"description":"Images is a list of Kustomize image override specifications","type":"array","items":{"description":"KustomizeImage represents a Kustomize image definition in the format [old_image_name=]<image_name>:<image_tag>","type":"string"}},"kubeVersion":{"description":"KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.","type":"string"},"labelIncludeTemplates":{"description":"LabelIncludeTemplates specifies whether to apply common labels to resource templates or not","type":"boolean"},"labelWithoutSelector":{"description":"LabelWithoutSelector specifies whether to apply common labels to resource selectors or not","type":"boolean"},"namePrefix":{"description":"NamePrefix is a prefix appended to resources for Kustomize apps","type":"string"},"nameSuffix":{"description":"NameSuffix is a suffix appended to resources for Kustomize apps","type":"string"},"namespace":{"description":"Namespace sets the namespace that Kustomize adds to all resources","type":"string"},"patches":{"description":"Patches is a list of Kustomize patches","type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"description":"Replicas is a list of Kustomize Replicas override specifications","type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"description":"Number of replicas","x-kubernetes-int-or-string":true},"name":{"description":"Name of Deployment or StatefulSet","type":"string"}}}},"version":{"description":"Version controls which version of Kustomize to use for rendering manifests","type":"string"}}},"name":{"description":"Name is used to refer to a source and is displayed in the UI. It is used in multi-source Applications.","type":"string"},"path":{"description":"Path is a directory path within the Git repository, and is only valid for applications sourced from Git.","type":"string"},"plugin":{"description":"Plugin holds config management plugin specific options","type":"object","properties":{"env":{"description":"Env is a list of environment variable entries","type":"array","items":{"description":"EnvEntry represents an entry in the application's environment","type":"object","required":["name","value"],"properties":{"name":{"description":"Name is the name of the variable, usually expressed in uppercase","type":"string"},"value":{"description":"Value is the value of the variable","type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}},"map":{"description":"Map is the value of a map type parameter.","type":"object","additionalProperties":{"type":"string"}},"name":{"description":"Name is the name identifying a parameter.","type":"string"},"string":{"description":"String_ is the value of a string type parameter.","type":"string"}}}}}},"ref":{"description":"Ref is reference to another source within sources field. This field will not be used if used with a `source` tag.","type":"string"},"repoURL":{"description":"RepoURL is the URL to the repository (Git or Helm) that contains the application manifests","type":"string"},"targetRevision":{"description":"TargetRevision defines the revision of the source to sync the application to.\nIn case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD.\nIn case of Helm, this is a semver tag for the Chart's version.","type":"string"}}}}}},"revision":{"description":"Revision contains information about the revision the comparison has been performed to","type":"string"},"revisions":{"description":"Revisions contains information about the revisions of multiple sources the comparison has been performed to","type":"array","items":{"type":"string"}},"status":{"description":"Status is the sync state of the comparison","type":"string"}}}}}},"x-kubernetes-group-version-kind":[{"group":"argoproj.io","kind":"Application","version":"v1alpha1"}],"title":"io.argoproj.v1alpha1.Application"},"io.argoproj.v1alpha1.ApplicationList":{"description":"ApplicationList is a list of Application","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of applications. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.argoproj.v1alpha1.Application"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"argoproj.io","kind":"ApplicationList","version":"v1alpha1"}],"title":"io.argoproj.v1alpha1.ApplicationList"},"io.argoproj.v1alpha1.ApplicationSet":{"type":"object","required":["metadata","spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["generators","template"],"properties":{"applyNestedSelectors":{"type":"boolean"},"generators":{"type":"array","items":{"type":"object","properties":{"clusterDecisionResource":{"type":"object","required":["configMapRef"],"properties":{"configMapRef":{"type":"string"},"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"name":{"type":"string"},"requeueAfterSeconds":{"type":"integer","format":"int64"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"clusters":{"type":"object","properties":{"flatList":{"type":"boolean"},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"git":{"type":"object","required":["repoURL","revision"],"properties":{"directories":{"type":"array","items":{"type":"object","required":["path"],"properties":{"exclude":{"type":"boolean"},"path":{"type":"string"}}}},"files":{"type":"array","items":{"type":"object","required":["path"],"properties":{"exclude":{"type":"boolean"},"path":{"type":"string"}}}},"pathParamPrefix":{"type":"string"},"repoURL":{"type":"string"},"requeueAfterSeconds":{"type":"integer","format":"int64"},"revision":{"type":"string"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"list":{"type":"object","properties":{"elements":{"type":"array","items":{"x-kubernetes-preserve-unknown-fields":true}},"elementsYaml":{"type":"string"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}}}},"matrix":{"type":"object","required":["generators"],"properties":{"generators":{"type":"array","items":{"type":"object","properties":{"clusterDecisionResource":{"type":"object","required":["configMapRef"],"properties":{"configMapRef":{"type":"string"},"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"name":{"type":"string"},"requeueAfterSeconds":{"type":"integer","format":"int64"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"clusters":{"type":"object","properties":{"flatList":{"type":"boolean"},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"git":{"type":"object","required":["repoURL","revision"],"properties":{"directories":{"type":"array","items":{"type":"object","required":["path"],"properties":{"exclude":{"type":"boolean"},"path":{"type":"string"}}}},"files":{"type":"array","items":{"type":"object","required":["path"],"properties":{"exclude":{"type":"boolean"},"path":{"type":"string"}}}},"pathParamPrefix":{"type":"string"},"repoURL":{"type":"string"},"requeueAfterSeconds":{"type":"integer","format":"int64"},"revision":{"type":"string"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"list":{"type":"object","properties":{"elements":{"type":"array","items":{"x-kubernetes-preserve-unknown-fields":true}},"elementsYaml":{"type":"string"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}}}},"matrix":{"x-kubernetes-preserve-unknown-fields":true},"merge":{"x-kubernetes-preserve-unknown-fields":true},"plugin":{"type":"object","required":["configMapRef"],"properties":{"configMapRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"}}},"input":{"type":"object","properties":{"parameters":{"type":"object","additionalProperties":{"x-kubernetes-preserve-unknown-fields":true}}}},"requeueAfterSeconds":{"type":"integer","format":"int64"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"pullRequest":{"type":"object","properties":{"azuredevops":{"type":"object","required":["organization","project","repo"],"properties":{"api":{"type":"string"},"labels":{"type":"array","items":{"type":"string"}},"organization":{"type":"string"},"project":{"type":"string"},"repo":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"bitbucket":{"type":"object","required":["owner","repo"],"properties":{"api":{"type":"string"},"basicAuth":{"type":"object","required":["passwordRef","username"],"properties":{"passwordRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"username":{"type":"string"}}},"bearerToken":{"type":"object","required":["tokenRef"],"properties":{"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"owner":{"type":"string"},"repo":{"type":"string"}}},"bitbucketServer":{"type":"object","required":["api","project","repo"],"properties":{"api":{"type":"string"},"basicAuth":{"type":"object","required":["passwordRef","username"],"properties":{"passwordRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"username":{"type":"string"}}},"bearerToken":{"type":"object","required":["tokenRef"],"properties":{"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"caRef":{"type":"object","required":["configMapName","key"],"properties":{"configMapName":{"type":"string"},"key":{"type":"string"}}},"insecure":{"type":"boolean"},"project":{"type":"string"},"repo":{"type":"string"}}},"continueOnRepoNotFoundError":{"type":"boolean"},"filters":{"type":"array","items":{"type":"object","properties":{"branchMatch":{"type":"string"},"targetBranchMatch":{"type":"string"},"titleMatch":{"type":"string"}}}},"gitea":{"type":"object","required":["api","owner","repo"],"properties":{"api":{"type":"string"},"insecure":{"type":"boolean"},"labels":{"type":"array","items":{"type":"string"}},"owner":{"type":"string"},"repo":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"github":{"type":"object","required":["owner","repo"],"properties":{"api":{"type":"string"},"appSecretName":{"type":"string"},"labels":{"type":"array","items":{"type":"string"}},"owner":{"type":"string"},"repo":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"gitlab":{"type":"object","required":["project"],"properties":{"api":{"type":"string"},"caRef":{"type":"object","required":["configMapName","key"],"properties":{"configMapName":{"type":"string"},"key":{"type":"string"}}},"insecure":{"type":"boolean"},"labels":{"type":"array","items":{"type":"string"}},"project":{"type":"string"},"pullRequestState":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"requeueAfterSeconds":{"type":"integer","format":"int64"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"scmProvider":{"type":"object","properties":{"awsCodeCommit":{"type":"object","properties":{"allBranches":{"type":"boolean"},"region":{"type":"string"},"role":{"type":"string"},"tagFilters":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"azureDevOps":{"type":"object","required":["accessTokenRef","organization","teamProject"],"properties":{"accessTokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"allBranches":{"type":"boolean"},"api":{"type":"string"},"organization":{"type":"string"},"teamProject":{"type":"string"}}},"bitbucket":{"type":"object","required":["appPasswordRef","owner","user"],"properties":{"allBranches":{"type":"boolean"},"appPasswordRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"owner":{"type":"string"},"user":{"type":"string"}}},"bitbucketServer":{"type":"object","required":["api","project"],"properties":{"allBranches":{"type":"boolean"},"api":{"type":"string"},"basicAuth":{"type":"object","required":["passwordRef","username"],"properties":{"passwordRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"username":{"type":"string"}}},"bearerToken":{"type":"object","required":["tokenRef"],"properties":{"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"caRef":{"type":"object","required":["configMapName","key"],"properties":{"configMapName":{"type":"string"},"key":{"type":"string"}}},"insecure":{"type":"boolean"},"project":{"type":"string"}}},"cloneProtocol":{"type":"string"},"filters":{"type":"array","items":{"type":"object","properties":{"branchMatch":{"type":"string"},"labelMatch":{"type":"string"},"pathsDoNotExist":{"type":"array","items":{"type":"string"}},"pathsExist":{"type":"array","items":{"type":"string"}},"repositoryMatch":{"type":"string"}}}},"gitea":{"type":"object","required":["api","owner"],"properties":{"allBranches":{"type":"boolean"},"api":{"type":"string"},"insecure":{"type":"boolean"},"owner":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"github":{"type":"object","required":["organization"],"properties":{"allBranches":{"type":"boolean"},"api":{"type":"string"},"appSecretName":{"type":"string"},"organization":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"gitlab":{"type":"object","required":["group"],"properties":{"allBranches":{"type":"boolean"},"api":{"type":"string"},"caRef":{"type":"object","required":["configMapName","key"],"properties":{"configMapName":{"type":"string"},"key":{"type":"string"}}},"group":{"type":"string"},"includeSharedProjects":{"type":"boolean"},"includeSubgroups":{"type":"boolean"},"insecure":{"type":"boolean"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"topic":{"type":"string"}}},"requeueAfterSeconds":{"type":"integer","format":"int64"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}}},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}}}},"merge":{"type":"object","required":["generators","mergeKeys"],"properties":{"generators":{"type":"array","items":{"type":"object","properties":{"clusterDecisionResource":{"type":"object","required":["configMapRef"],"properties":{"configMapRef":{"type":"string"},"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"name":{"type":"string"},"requeueAfterSeconds":{"type":"integer","format":"int64"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"clusters":{"type":"object","properties":{"flatList":{"type":"boolean"},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"git":{"type":"object","required":["repoURL","revision"],"properties":{"directories":{"type":"array","items":{"type":"object","required":["path"],"properties":{"exclude":{"type":"boolean"},"path":{"type":"string"}}}},"files":{"type":"array","items":{"type":"object","required":["path"],"properties":{"exclude":{"type":"boolean"},"path":{"type":"string"}}}},"pathParamPrefix":{"type":"string"},"repoURL":{"type":"string"},"requeueAfterSeconds":{"type":"integer","format":"int64"},"revision":{"type":"string"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"list":{"type":"object","properties":{"elements":{"type":"array","items":{"x-kubernetes-preserve-unknown-fields":true}},"elementsYaml":{"type":"string"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}}}},"matrix":{"x-kubernetes-preserve-unknown-fields":true},"merge":{"x-kubernetes-preserve-unknown-fields":true},"plugin":{"type":"object","required":["configMapRef"],"properties":{"configMapRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"}}},"input":{"type":"object","properties":{"parameters":{"type":"object","additionalProperties":{"x-kubernetes-preserve-unknown-fields":true}}}},"requeueAfterSeconds":{"type":"integer","format":"int64"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"pullRequest":{"type":"object","properties":{"azuredevops":{"type":"object","required":["organization","project","repo"],"properties":{"api":{"type":"string"},"labels":{"type":"array","items":{"type":"string"}},"organization":{"type":"string"},"project":{"type":"string"},"repo":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"bitbucket":{"type":"object","required":["owner","repo"],"properties":{"api":{"type":"string"},"basicAuth":{"type":"object","required":["passwordRef","username"],"properties":{"passwordRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"username":{"type":"string"}}},"bearerToken":{"type":"object","required":["tokenRef"],"properties":{"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"owner":{"type":"string"},"repo":{"type":"string"}}},"bitbucketServer":{"type":"object","required":["api","project","repo"],"properties":{"api":{"type":"string"},"basicAuth":{"type":"object","required":["passwordRef","username"],"properties":{"passwordRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"username":{"type":"string"}}},"bearerToken":{"type":"object","required":["tokenRef"],"properties":{"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"caRef":{"type":"object","required":["configMapName","key"],"properties":{"configMapName":{"type":"string"},"key":{"type":"string"}}},"insecure":{"type":"boolean"},"project":{"type":"string"},"repo":{"type":"string"}}},"continueOnRepoNotFoundError":{"type":"boolean"},"filters":{"type":"array","items":{"type":"object","properties":{"branchMatch":{"type":"string"},"targetBranchMatch":{"type":"string"},"titleMatch":{"type":"string"}}}},"gitea":{"type":"object","required":["api","owner","repo"],"properties":{"api":{"type":"string"},"insecure":{"type":"boolean"},"labels":{"type":"array","items":{"type":"string"}},"owner":{"type":"string"},"repo":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"github":{"type":"object","required":["owner","repo"],"properties":{"api":{"type":"string"},"appSecretName":{"type":"string"},"labels":{"type":"array","items":{"type":"string"}},"owner":{"type":"string"},"repo":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"gitlab":{"type":"object","required":["project"],"properties":{"api":{"type":"string"},"caRef":{"type":"object","required":["configMapName","key"],"properties":{"configMapName":{"type":"string"},"key":{"type":"string"}}},"insecure":{"type":"boolean"},"labels":{"type":"array","items":{"type":"string"}},"project":{"type":"string"},"pullRequestState":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"requeueAfterSeconds":{"type":"integer","format":"int64"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"scmProvider":{"type":"object","properties":{"awsCodeCommit":{"type":"object","properties":{"allBranches":{"type":"boolean"},"region":{"type":"string"},"role":{"type":"string"},"tagFilters":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"azureDevOps":{"type":"object","required":["accessTokenRef","organization","teamProject"],"properties":{"accessTokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"allBranches":{"type":"boolean"},"api":{"type":"string"},"organization":{"type":"string"},"teamProject":{"type":"string"}}},"bitbucket":{"type":"object","required":["appPasswordRef","owner","user"],"properties":{"allBranches":{"type":"boolean"},"appPasswordRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"owner":{"type":"string"},"user":{"type":"string"}}},"bitbucketServer":{"type":"object","required":["api","project"],"properties":{"allBranches":{"type":"boolean"},"api":{"type":"string"},"basicAuth":{"type":"object","required":["passwordRef","username"],"properties":{"passwordRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"username":{"type":"string"}}},"bearerToken":{"type":"object","required":["tokenRef"],"properties":{"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"caRef":{"type":"object","required":["configMapName","key"],"properties":{"configMapName":{"type":"string"},"key":{"type":"string"}}},"insecure":{"type":"boolean"},"project":{"type":"string"}}},"cloneProtocol":{"type":"string"},"filters":{"type":"array","items":{"type":"object","properties":{"branchMatch":{"type":"string"},"labelMatch":{"type":"string"},"pathsDoNotExist":{"type":"array","items":{"type":"string"}},"pathsExist":{"type":"array","items":{"type":"string"}},"repositoryMatch":{"type":"string"}}}},"gitea":{"type":"object","required":["api","owner"],"properties":{"allBranches":{"type":"boolean"},"api":{"type":"string"},"insecure":{"type":"boolean"},"owner":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"github":{"type":"object","required":["organization"],"properties":{"allBranches":{"type":"boolean"},"api":{"type":"string"},"appSecretName":{"type":"string"},"organization":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"gitlab":{"type":"object","required":["group"],"properties":{"allBranches":{"type":"boolean"},"api":{"type":"string"},"caRef":{"type":"object","required":["configMapName","key"],"properties":{"configMapName":{"type":"string"},"key":{"type":"string"}}},"group":{"type":"string"},"includeSharedProjects":{"type":"boolean"},"includeSubgroups":{"type":"boolean"},"insecure":{"type":"boolean"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"topic":{"type":"string"}}},"requeueAfterSeconds":{"type":"integer","format":"int64"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}}},"mergeKeys":{"type":"array","items":{"type":"string"}},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}}}},"plugin":{"type":"object","required":["configMapRef"],"properties":{"configMapRef":{"type":"object","required":["name"],"properties":{"name":{"type":"string"}}},"input":{"type":"object","properties":{"parameters":{"type":"object","additionalProperties":{"x-kubernetes-preserve-unknown-fields":true}}}},"requeueAfterSeconds":{"type":"integer","format":"int64"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"pullRequest":{"type":"object","properties":{"azuredevops":{"type":"object","required":["organization","project","repo"],"properties":{"api":{"type":"string"},"labels":{"type":"array","items":{"type":"string"}},"organization":{"type":"string"},"project":{"type":"string"},"repo":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"bitbucket":{"type":"object","required":["owner","repo"],"properties":{"api":{"type":"string"},"basicAuth":{"type":"object","required":["passwordRef","username"],"properties":{"passwordRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"username":{"type":"string"}}},"bearerToken":{"type":"object","required":["tokenRef"],"properties":{"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"owner":{"type":"string"},"repo":{"type":"string"}}},"bitbucketServer":{"type":"object","required":["api","project","repo"],"properties":{"api":{"type":"string"},"basicAuth":{"type":"object","required":["passwordRef","username"],"properties":{"passwordRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"username":{"type":"string"}}},"bearerToken":{"type":"object","required":["tokenRef"],"properties":{"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"caRef":{"type":"object","required":["configMapName","key"],"properties":{"configMapName":{"type":"string"},"key":{"type":"string"}}},"insecure":{"type":"boolean"},"project":{"type":"string"},"repo":{"type":"string"}}},"continueOnRepoNotFoundError":{"type":"boolean"},"filters":{"type":"array","items":{"type":"object","properties":{"branchMatch":{"type":"string"},"targetBranchMatch":{"type":"string"},"titleMatch":{"type":"string"}}}},"gitea":{"type":"object","required":["api","owner","repo"],"properties":{"api":{"type":"string"},"insecure":{"type":"boolean"},"labels":{"type":"array","items":{"type":"string"}},"owner":{"type":"string"},"repo":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"github":{"type":"object","required":["owner","repo"],"properties":{"api":{"type":"string"},"appSecretName":{"type":"string"},"labels":{"type":"array","items":{"type":"string"}},"owner":{"type":"string"},"repo":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"gitlab":{"type":"object","required":["project"],"properties":{"api":{"type":"string"},"caRef":{"type":"object","required":["configMapName","key"],"properties":{"configMapName":{"type":"string"},"key":{"type":"string"}}},"insecure":{"type":"boolean"},"labels":{"type":"array","items":{"type":"string"}},"project":{"type":"string"},"pullRequestState":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"requeueAfterSeconds":{"type":"integer","format":"int64"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"scmProvider":{"type":"object","properties":{"awsCodeCommit":{"type":"object","properties":{"allBranches":{"type":"boolean"},"region":{"type":"string"},"role":{"type":"string"},"tagFilters":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"value":{"type":"string"}}}}}},"azureDevOps":{"type":"object","required":["accessTokenRef","organization","teamProject"],"properties":{"accessTokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"allBranches":{"type":"boolean"},"api":{"type":"string"},"organization":{"type":"string"},"teamProject":{"type":"string"}}},"bitbucket":{"type":"object","required":["appPasswordRef","owner","user"],"properties":{"allBranches":{"type":"boolean"},"appPasswordRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"owner":{"type":"string"},"user":{"type":"string"}}},"bitbucketServer":{"type":"object","required":["api","project"],"properties":{"allBranches":{"type":"boolean"},"api":{"type":"string"},"basicAuth":{"type":"object","required":["passwordRef","username"],"properties":{"passwordRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"username":{"type":"string"}}},"bearerToken":{"type":"object","required":["tokenRef"],"properties":{"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"caRef":{"type":"object","required":["configMapName","key"],"properties":{"configMapName":{"type":"string"},"key":{"type":"string"}}},"insecure":{"type":"boolean"},"project":{"type":"string"}}},"cloneProtocol":{"type":"string"},"filters":{"type":"array","items":{"type":"object","properties":{"branchMatch":{"type":"string"},"labelMatch":{"type":"string"},"pathsDoNotExist":{"type":"array","items":{"type":"string"}},"pathsExist":{"type":"array","items":{"type":"string"}},"repositoryMatch":{"type":"string"}}}},"gitea":{"type":"object","required":["api","owner"],"properties":{"allBranches":{"type":"boolean"},"api":{"type":"string"},"insecure":{"type":"boolean"},"owner":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"github":{"type":"object","required":["organization"],"properties":{"allBranches":{"type":"boolean"},"api":{"type":"string"},"appSecretName":{"type":"string"},"organization":{"type":"string"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}}}},"gitlab":{"type":"object","required":["group"],"properties":{"allBranches":{"type":"boolean"},"api":{"type":"string"},"caRef":{"type":"object","required":["configMapName","key"],"properties":{"configMapName":{"type":"string"},"key":{"type":"string"}}},"group":{"type":"string"},"includeSharedProjects":{"type":"boolean"},"includeSubgroups":{"type":"boolean"},"insecure":{"type":"boolean"},"tokenRef":{"type":"object","required":["key","secretName"],"properties":{"key":{"type":"string"},"secretName":{"type":"string"}}},"topic":{"type":"string"}}},"requeueAfterSeconds":{"type":"integer","format":"int64"},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"values":{"type":"object","additionalProperties":{"type":"string"}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}}},"goTemplate":{"type":"boolean"},"goTemplateOptions":{"type":"array","items":{"type":"string"}},"ignoreApplicationDifferences":{"type":"array","items":{"type":"object","properties":{"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"}}}},"preservedFields":{"type":"object","properties":{"annotations":{"type":"array","items":{"type":"string"}},"labels":{"type":"array","items":{"type":"string"}}}},"strategy":{"type":"object","properties":{"deletionOrder":{"type":"string"},"rollingSync":{"type":"object","properties":{"steps":{"type":"array","items":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"maxUpdate":{"x-kubernetes-int-or-string":true}}}}}},"type":{"type":"string"}}},"syncPolicy":{"type":"object","properties":{"applicationsSync":{"type":"string","enum":["create-only","create-update","create-delete","sync"]},"preserveResourcesOnDeletion":{"type":"boolean"}}},"template":{"type":"object","required":["metadata","spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","required":["destination","project"],"properties":{"destination":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"server":{"type":"string"}}},"ignoreDifferences":{"type":"array","items":{"type":"object","required":["kind"],"properties":{"group":{"type":"string"},"jqPathExpressions":{"type":"array","items":{"type":"string"}},"jsonPointers":{"type":"array","items":{"type":"string"}},"kind":{"type":"string"},"managedFieldsManagers":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}}},"info":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"project":{"type":"string"},"revisionHistoryLimit":{"type":"integer","format":"int64"},"source":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"sourceHydrator":{"type":"object","required":["drySource","syncSource"],"properties":{"drySource":{"type":"object","required":["path","repoURL","targetRevision"],"properties":{"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}},"hydrateTo":{"type":"object","required":["targetBranch"],"properties":{"targetBranch":{"type":"string"}}},"syncSource":{"type":"object","required":["path","targetBranch"],"properties":{"path":{"type":"string","minLength":1,"pattern":"^.{2,}|[^./]$"},"targetBranch":{"type":"string"}}}}},"sources":{"type":"array","items":{"type":"object","required":["repoURL"],"properties":{"chart":{"type":"string"},"directory":{"type":"object","properties":{"exclude":{"type":"string"},"include":{"type":"string"},"jsonnet":{"type":"object","properties":{"extVars":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"libs":{"type":"array","items":{"type":"string"}},"tlas":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"code":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}}}},"recurse":{"type":"boolean"}}},"helm":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"fileParameters":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"path":{"type":"string"}}}},"ignoreMissingValueFiles":{"type":"boolean"},"kubeVersion":{"type":"string"},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"forceString":{"type":"boolean"},"name":{"type":"string"},"value":{"type":"string"}}}},"passCredentials":{"type":"boolean"},"releaseName":{"type":"string"},"skipCrds":{"type":"boolean"},"skipSchemaValidation":{"type":"boolean"},"skipTests":{"type":"boolean"},"valueFiles":{"type":"array","items":{"type":"string"}},"values":{"type":"string"},"valuesObject":{"x-kubernetes-preserve-unknown-fields":true},"version":{"type":"string"}}},"kustomize":{"type":"object","properties":{"apiVersions":{"type":"array","items":{"type":"string"}},"commonAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"commonAnnotationsEnvsubst":{"type":"boolean"},"commonLabels":{"type":"object","additionalProperties":{"type":"string"}},"components":{"type":"array","items":{"type":"string"}},"forceCommonAnnotations":{"type":"boolean"},"forceCommonLabels":{"type":"boolean"},"ignoreMissingComponents":{"type":"boolean"},"images":{"type":"array","items":{"type":"string"}},"kubeVersion":{"type":"string"},"labelIncludeTemplates":{"type":"boolean"},"labelWithoutSelector":{"type":"boolean"},"namePrefix":{"type":"string"},"nameSuffix":{"type":"string"},"namespace":{"type":"string"},"patches":{"type":"array","items":{"type":"object","properties":{"options":{"type":"object","additionalProperties":{"type":"boolean"}},"patch":{"type":"string"},"path":{"type":"string"},"target":{"type":"object","properties":{"annotationSelector":{"type":"string"},"group":{"type":"string"},"kind":{"type":"string"},"labelSelector":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}},"replicas":{"type":"array","items":{"type":"object","required":["count","name"],"properties":{"count":{"x-kubernetes-int-or-string":true},"name":{"type":"string"}}}},"version":{"type":"string"}}},"name":{"type":"string"},"path":{"type":"string"},"plugin":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"name":{"type":"string"},"parameters":{"type":"array","items":{"type":"object","properties":{"array":{"type":"array","items":{"type":"string"}},"map":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"string":{"type":"string"}}}}}},"ref":{"type":"string"},"repoURL":{"type":"string"},"targetRevision":{"type":"string"}}}},"syncPolicy":{"type":"object","properties":{"automated":{"type":"object","properties":{"allowEmpty":{"type":"boolean"},"enabled":{"type":"boolean"},"prune":{"type":"boolean"},"selfHeal":{"type":"boolean"}}},"managedNamespaceMetadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"retry":{"type":"object","properties":{"backoff":{"type":"object","properties":{"duration":{"type":"string"},"factor":{"type":"integer","format":"int64"},"maxDuration":{"type":"string"}}},"limit":{"type":"integer","format":"int64"},"refresh":{"type":"boolean"}}},"syncOptions":{"type":"array","items":{"type":"string"}}}}}}}},"templatePatch":{"type":"string"}}},"status":{"type":"object","properties":{"applicationStatus":{"type":"array","items":{"type":"object","required":["application","message","status","step","targetRevisions"],"properties":{"application":{"type":"string"},"lastTransitionTime":{"type":"string","format":"date-time"},"message":{"type":"string"},"status":{"type":"string"},"step":{"type":"string"},"targetRevisions":{"type":"array","items":{"type":"string"}}}}},"conditions":{"type":"array","items":{"type":"object","required":["message","reason","status","type"],"properties":{"lastTransitionTime":{"type":"string","format":"date-time"},"message":{"type":"string"},"reason":{"type":"string"},"status":{"type":"string"},"type":{"type":"string"}}}},"resources":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"health":{"type":"object","properties":{"lastTransitionTime":{"type":"string","format":"date-time"},"message":{"type":"string"},"status":{"type":"string"}}},"hook":{"type":"boolean"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"requiresDeletionConfirmation":{"type":"boolean"},"requiresPruning":{"type":"boolean"},"status":{"type":"string"},"syncWave":{"type":"integer","format":"int64"},"version":{"type":"string"}}}},"resourcesCount":{"type":"integer","format":"int64"}}}},"x-kubernetes-group-version-kind":[{"group":"argoproj.io","kind":"ApplicationSet","version":"v1alpha1"}],"title":"io.argoproj.v1alpha1.ApplicationSet"},"io.argoproj.v1alpha1.ApplicationSetList":{"description":"ApplicationSetList is a list of ApplicationSet","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of applicationsets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.argoproj.v1alpha1.ApplicationSet"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"argoproj.io","kind":"ApplicationSetList","version":"v1alpha1"}],"title":"io.argoproj.v1alpha1.ApplicationSetList"},"io.cert-manager.acme.v1.Challenge":{"description":"Challenge is a type to represent a Challenge request with an ACME server","type":"object","required":["metadata","spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["authorizationURL","dnsName","issuerRef","key","solver","token","type","url"],"properties":{"authorizationURL":{"description":"The URL to the ACME Authorization resource that this\nchallenge is a part of.","type":"string"},"dnsName":{"description":"dnsName is the identifier that this challenge is for, e.g. example.com.\nIf the requested DNSName is a 'wildcard', this field MUST be set to the\nnon-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.","type":"string"},"issuerRef":{"description":"References a properly configured ACME-type Issuer which should\nbe used to create this Challenge.\nIf the Issuer does not exist, processing will be retried.\nIf the Issuer is not an 'ACME' Issuer, an error will be returned and the\nChallenge will be marked as failed.","type":"object","required":["name"],"properties":{"group":{"description":"Group of the resource being referred to.","type":"string"},"kind":{"description":"Kind of the resource being referred to.","type":"string"},"name":{"description":"Name of the resource being referred to.","type":"string"}}},"key":{"description":"The ACME challenge key for this challenge\nFor HTTP01 challenges, this is the value that must be responded with to\ncomplete the HTTP01 challenge in the format:\n`<private key JWK thumbprint>.<key from acme server for challenge>`.\nFor DNS01 challenges, this is the base64 encoded SHA256 sum of the\n`<private key JWK thumbprint>.<key from acme server for challenge>`\ntext that must be set as the TXT record content.","type":"string"},"solver":{"description":"Contains the domain solving configuration that should be used to\nsolve this challenge resource.","type":"object","properties":{"dns01":{"description":"Configures cert-manager to attempt to complete authorizations by\nperforming the DNS01 challenge flow.","type":"object","properties":{"acmeDNS":{"description":"Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage\nDNS01 challenge records.","type":"object","required":["accountSecretRef","host"],"properties":{"accountSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"host":{"type":"string"}}},"akamai":{"description":"Use the Akamai DNS zone management API to manage DNS01 challenge records.","type":"object","required":["accessTokenSecretRef","clientSecretSecretRef","clientTokenSecretRef","serviceConsumerDomain"],"properties":{"accessTokenSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"clientSecretSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"clientTokenSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"serviceConsumerDomain":{"type":"string"}}},"azureDNS":{"description":"Use the Microsoft Azure DNS API to manage DNS01 challenge records.","type":"object","required":["resourceGroupName","subscriptionID"],"properties":{"clientID":{"description":"Auth: Azure Service Principal:\nThe ClientID of the Azure Service Principal used to authenticate with Azure DNS.\nIf set, ClientSecret and TenantID must also be set.","type":"string"},"clientSecretSecretRef":{"description":"Auth: Azure Service Principal:\nA reference to a Secret containing the password associated with the Service Principal.\nIf set, ClientID and TenantID must also be set.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"environment":{"description":"name of the Azure environment (default AzurePublicCloud)","type":"string","enum":["AzurePublicCloud","AzureChinaCloud","AzureGermanCloud","AzureUSGovernmentCloud"]},"hostedZoneName":{"description":"name of the DNS zone that should be used","type":"string"},"managedIdentity":{"description":"Auth: Azure Workload Identity or Azure Managed Service Identity:\nSettings to enable Azure Workload Identity or Azure Managed Service Identity\nIf set, ClientID, ClientSecret and TenantID must not be set.","type":"object","properties":{"clientID":{"description":"client ID of the managed identity, can not be used at the same time as resourceID","type":"string"},"resourceID":{"description":"resource ID of the managed identity, can not be used at the same time as clientID\nCannot be used for Azure Managed Service Identity","type":"string"},"tenantID":{"description":"tenant ID of the managed identity, can not be used at the same time as resourceID","type":"string"}}},"resourceGroupName":{"description":"resource group the DNS zone is located in","type":"string"},"subscriptionID":{"description":"ID of the Azure subscription","type":"string"},"tenantID":{"description":"Auth: Azure Service Principal:\nThe TenantID of the Azure Service Principal used to authenticate with Azure DNS.\nIf set, ClientID and ClientSecret must also be set.","type":"string"}}},"cloudDNS":{"description":"Use the Google Cloud DNS API to manage DNS01 challenge records.","type":"object","required":["project"],"properties":{"hostedZoneName":{"description":"HostedZoneName is an optional field that tells cert-manager in which\nCloud DNS zone the challenge record has to be created.\nIf left empty cert-manager will automatically choose a zone.","type":"string"},"project":{"type":"string"},"serviceAccountSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"cloudflare":{"description":"Use the Cloudflare API to manage DNS01 challenge records.","type":"object","properties":{"apiKeySecretRef":{"description":"API key to use to authenticate with Cloudflare.\nNote: using an API token to authenticate is now the recommended method\nas it allows greater control of permissions.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"apiTokenSecretRef":{"description":"API token used to authenticate with Cloudflare.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"email":{"description":"Email of the account, only required when using API key based authentication.","type":"string"}}},"cnameStrategy":{"description":"CNAMEStrategy configures how the DNS01 provider should handle CNAME\nrecords when found in DNS zones.","type":"string","enum":["None","Follow"]},"digitalocean":{"description":"Use the DigitalOcean DNS API to manage DNS01 challenge records.","type":"object","required":["tokenSecretRef"],"properties":{"tokenSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"rfc2136":{"description":"Use RFC2136 (\"Dynamic Updates in the Domain Name System\") (https://datatracker.ietf.org/doc/rfc2136/)\nto manage DNS01 challenge records.","type":"object","required":["nameserver"],"properties":{"nameserver":{"description":"The IP address or hostname of an authoritative DNS server supporting\nRFC2136 in the form host:port. If the host is an IPv6 address it must be\nenclosed in square brackets (e.g [2001:db8::1]) ; port is optional.\nThis field is required.","type":"string"},"tsigAlgorithm":{"description":"The TSIG Algorithm configured in the DNS supporting RFC2136. Used only\nwhen ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.\nSupported values are (case-insensitive): ``HMACMD5`` (default),\n``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.","type":"string"},"tsigKeyName":{"description":"The TSIG Key name configured in the DNS.\nIf ``tsigSecretSecretRef`` is defined, this field is required.","type":"string"},"tsigSecretSecretRef":{"description":"The name of the secret containing the TSIG value.\nIf ``tsigKeyName`` is defined, this field is required.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"route53":{"description":"Use the AWS Route53 API to manage DNS01 challenge records.","type":"object","properties":{"accessKeyID":{"description":"The AccessKeyID is used for authentication.\nCannot be set when SecretAccessKeyID is set.\nIf neither the Access Key nor Key ID are set, we fall-back to using env\nvars, shared credentials file or AWS Instance metadata,\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials","type":"string"},"accessKeyIDSecretRef":{"description":"The SecretAccessKey is used for authentication. If set, pull the AWS\naccess key ID from a key within a Kubernetes Secret.\nCannot be set when AccessKeyID is set.\nIf neither the Access Key nor Key ID are set, we fall-back to using env\nvars, shared credentials file or AWS Instance metadata,\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"auth":{"description":"Auth configures how cert-manager authenticates.","type":"object","required":["kubernetes"],"properties":{"kubernetes":{"description":"Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity\nby passing a bound ServiceAccount token.","type":"object","required":["serviceAccountRef"],"properties":{"serviceAccountRef":{"description":"A reference to a service account that will be used to request a bound\ntoken (also known as \"projected token\"). To use this field, you must\nconfigure an RBAC rule to let cert-manager request a token.","type":"object","required":["name"],"properties":{"audiences":{"description":"TokenAudiences is an optional list of audiences to include in the\ntoken passed to AWS. The default token consisting of the issuer's namespace\nand name is always included.\nIf unset the audience defaults to `sts.amazonaws.com`.","type":"array","items":{"type":"string"}},"name":{"description":"Name of the ServiceAccount used to request a token.","type":"string"}}}}}}},"hostedZoneID":{"description":"If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.","type":"string"},"region":{"description":"Override the AWS region.\n\nRoute53 is a global service and does not have regional endpoints but the\nregion specified here (or via environment variables) is used as a hint to\nhelp compute the correct AWS credential scope and partition when it\nconnects to Route53. See:\n- [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)\n- [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)\n\nIf you omit this region field, cert-manager will use the region from\nAWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set\nin the cert-manager controller Pod.\n\nThe `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).\nInstead an AWS_REGION environment variable is added to the cert-manager controller Pod by:\n[Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).\nIn this case this `region` field value is ignored.\n\nThe `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).\nInstead an AWS_REGION environment variable is added to the cert-manager controller Pod by:\n[Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),\nIn this case this `region` field value is ignored.","type":"string"},"role":{"description":"Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey\nor the inferred credentials from environment variables, shared credentials file or AWS Instance metadata","type":"string"},"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication.\nIf neither the Access Key nor Key ID are set, we fall-back to using env\nvars, shared credentials file or AWS Instance metadata,\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"webhook":{"description":"Configure an external webhook based DNS01 challenge solver to manage\nDNS01 challenge records.","type":"object","required":["groupName","solverName"],"properties":{"config":{"description":"Additional configuration that should be passed to the webhook apiserver\nwhen challenges are processed.\nThis can contain arbitrary JSON data.\nSecret values should not be specified in this stanza.\nIf secret values are needed (e.g. credentials for a DNS service), you\nshould use a SecretKeySelector to reference a Secret resource.\nFor details on the schema of this field, consult the webhook provider\nimplementation's documentation.","x-kubernetes-preserve-unknown-fields":true},"groupName":{"description":"The API group name that should be used when POSTing ChallengePayload\nresources to the webhook apiserver.\nThis should be the same as the GroupName specified in the webhook\nprovider implementation.","type":"string"},"solverName":{"description":"The name of the solver to use, as defined in the webhook provider\nimplementation.\nThis will typically be the name of the provider, e.g. 'cloudflare'.","type":"string"}}}}},"http01":{"description":"Configures cert-manager to attempt to complete authorizations by\nperforming the HTTP01 challenge flow.\nIt is not possible to obtain certificates for wildcard domain names\n(e.g. `*.example.com`) using the HTTP01 challenge mechanism.","type":"object","properties":{"gatewayHTTPRoute":{"description":"The Gateway API is a sig-network community API that models service networking\nin Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will\ncreate HTTPRoutes with the specified labels in the same namespace as the challenge.\nThis solver is experimental, and fields / behaviour may change in the future.","type":"object","properties":{"labels":{"description":"Custom labels that will be applied to HTTPRoutes created by cert-manager\nwhile solving HTTP-01 challenges.","type":"object","additionalProperties":{"type":"string"}},"parentRefs":{"description":"When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.\ncert-manager needs to know which parentRefs should be used when creating\nthe HTTPRoute. Usually, the parentRef references a Gateway. See:\nhttps://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways","type":"array","items":{"description":"ParentReference identifies an API object (usually a Gateway) that can be considered\na parent of this resource (usually a route). There are two kinds of parent resources\nwith \"Core\" support:\n\n* Gateway (Gateway conformance profile)\n* Service (Mesh conformance profile, ClusterIP Services only)\n\nThis API may be extended in the future to support additional kinds of parent\nresources.\n\nThe API object must be valid in the cluster; the Group and Kind must\nbe registered in the cluster for this reference to be valid.","type":"object","required":["name"],"properties":{"group":{"description":"Group is the group of the referent.\nWhen unspecified, \"gateway.networking.k8s.io\" is inferred.\nTo set the core API group (such as for a \"Service\" kind referent),\nGroup must be explicitly set to \"\" (empty string).\n\nSupport: Core","type":"string","maxLength":253,"pattern":"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"},"kind":{"description":"Kind is kind of the referent.\n\nThere are two kinds of parent resources with \"Core\" support:\n\n* Gateway (Gateway conformance profile)\n* Service (Mesh conformance profile, ClusterIP Services only)\n\nSupport for other resources is Implementation-Specific.","type":"string","maxLength":63,"minLength":1,"pattern":"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$"},"name":{"description":"Name is the name of the referent.\n\nSupport: Core","type":"string","maxLength":253,"minLength":1},"namespace":{"description":"Namespace is the namespace of the referent. When unspecified, this refers\nto the local namespace of the Route.\n\nNote that there are specific rules for ParentRefs which cross namespace\nboundaries. Cross-namespace references are only valid if they are explicitly\nallowed by something in the namespace they are referring to. For example:\nGateway has the AllowedRoutes field, and ReferenceGrant provides a\ngeneric way to enable any other kind of cross-namespace reference.\n\n<gateway:experimental:description>\nParentRefs from a Route to a Service in the same namespace are \"producer\"\nroutes, which apply default routing rules to inbound connections from\nany namespace to the Service.\n\nParentRefs from a Route to a Service in a different namespace are\n\"consumer\" routes, and these routing rules are only applied to outbound\nconnections originating from the same namespace as the Route, for which\nthe intended destination of the connections are a Service targeted as a\nParentRef of the Route.\n</gateway:experimental:description>\n\nSupport: Core","type":"string","maxLength":63,"minLength":1,"pattern":"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$"},"port":{"description":"Port is the network port this Route targets. It can be interpreted\ndifferently based on the type of parent resource.\n\nWhen the parent resource is a Gateway, this targets all listeners\nlistening on the specified port that also support this kind of Route(and\nselect this Route). It's not recommended to set `Port` unless the\nnetworking behaviors specified in a Route must apply to a specific port\nas opposed to a listener(s) whose port(s) may be changed. When both Port\nand SectionName are specified, the name and port of the selected listener\nmust match both specified values.\n\n<gateway:experimental:description>\nWhen the parent resource is a Service, this targets a specific port in the\nService spec. When both Port (experimental) and SectionName are specified,\nthe name and port of the selected port must match both specified values.\n</gateway:experimental:description>\n\nImplementations MAY choose to support other parent resources.\nImplementations supporting other types of parent resources MUST clearly\ndocument how/if Port is interpreted.\n\nFor the purpose of status, an attachment is considered successful as\nlong as the parent resource accepts it partially. For example, Gateway\nlisteners can restrict which Routes can attach to them by Route kind,\nnamespace, or hostname. If 1 of 2 Gateway listeners accept attachment\nfrom the referencing Route, the Route MUST be considered successfully\nattached. If no Gateway listeners accept attachment from this Route,\nthe Route MUST be considered detached from the Gateway.\n\nSupport: Extended","type":"integer","format":"int32","maximum":65535,"minimum":1},"sectionName":{"description":"SectionName is the name of a section within the target resource. In the\nfollowing resources, SectionName is interpreted as the following:\n\n* Gateway: Listener name. When both Port (experimental) and SectionName\nare specified, the name and port of the selected listener must match\nboth specified values.\n* Service: Port name. When both Port (experimental) and SectionName\nare specified, the name and port of the selected listener must match\nboth specified values.\n\nImplementations MAY choose to support attaching Routes to other resources.\nIf that is the case, they MUST clearly document how SectionName is\ninterpreted.\n\nWhen unspecified (empty string), this will reference the entire resource.\nFor the purpose of status, an attachment is considered successful if at\nleast one section in the parent resource accepts it. For example, Gateway\nlisteners can restrict which Routes can attach to them by Route kind,\nnamespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\nthe referencing Route, the Route MUST be considered successfully\nattached. If no Gateway listeners accept attachment from this Route, the\nRoute MUST be considered detached from the Gateway.\n\nSupport: Core","type":"string","maxLength":253,"minLength":1,"pattern":"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"}}}},"podTemplate":{"description":"Optional pod template used to configure the ACME challenge solver pods\nused for HTTP01 challenges.","type":"object","properties":{"metadata":{"description":"ObjectMeta overrides for the pod used to solve HTTP01 challenges.\nOnly the 'labels' and 'annotations' fields may be set.\nIf labels or annotations overlap with in-built values, the values here\nwill override the in-built values.","type":"object","properties":{"annotations":{"description":"Annotations that should be added to the created ACME HTTP01 solver pods.","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"Labels that should be added to the created ACME HTTP01 solver pods.","type":"object","additionalProperties":{"type":"string"}}}},"spec":{"description":"PodSpec defines overrides for the HTTP01 challenge solver pod.\nCheck ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.\nAll other fields will be ignored.","type":"object","properties":{"affinity":{"description":"If specified, the pod's scheduling constraints","type":"object","properties":{"nodeAffinity":{"description":"Describes node affinity scheduling rules for the pod.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node matches the corresponding matchExpressions; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"An empty preferred scheduling term matches all objects with implicit weight 0\n(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).","type":"object","required":["preference","weight"],"properties":{"preference":{"description":"A node selector term, associated with the corresponding weight.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"description":"Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to an update), the system\nmay or may not try to eventually evict the pod from its node.","type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"description":"Required. A list of node selector terms. The terms are ORed.","type":"array","items":{"description":"A null or empty node selector term matches no objects. The requirements of\nthem are ANDed.\nThe TopologySelectorTerm type implements a subset of the NodeSelectorTerm.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"description":"Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"description":"Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe anti-affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling anti-affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the anti-affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the anti-affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"imagePullSecrets":{"description":"If specified, the pod's imagePullSecrets","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"nodeSelector":{"description":"NodeSelector is a selector which must be true for the pod to fit on a node.\nSelector which must match a node's labels for the pod to be scheduled on that node.\nMore info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/","type":"object","additionalProperties":{"type":"string"}},"priorityClassName":{"description":"If specified, the pod's priorityClassName.","type":"string"},"securityContext":{"description":"If specified, the pod's security context","type":"object","properties":{"fsGroup":{"description":"A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"fsGroupChangePolicy":{"description":"fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in SecurityContext.  If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"supplementalGroups":{"description":"A list of groups applied to the first process run in each container, in addition\nto the container's primary GID, the fsGroup (if specified), and group memberships\ndefined in the container image for the uid of the container process. If unspecified,\nno additional groups are added to any container. Note that group memberships\ndefined in the container image for the uid of the container process are still effective,\neven if they are not included in this list.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"type":"integer","format":"int64"}},"sysctls":{"description":"Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"description":"Sysctl defines a kernel parameter to be set","type":"object","required":["name","value"],"properties":{"name":{"description":"Name of a property to set","type":"string"},"value":{"description":"Value of a property to set","type":"string"}}}}}},"serviceAccountName":{"description":"If specified, the pod's service account","type":"string"},"tolerations":{"description":"If specified, the pod's tolerations.","type":"array","items":{"description":"The pod this Toleration is attached to tolerates any taint that matches\nthe triple <key,value,effect> using the matching operator <operator>.","type":"object","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.","type":"string"},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.","type":"string"},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.","type":"integer","format":"int64"},"value":{"description":"Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.","type":"string"}}}}}}}},"serviceType":{"description":"Optional service type for Kubernetes solver service. Supported values\nare NodePort or ClusterIP. If unset, defaults to NodePort.","type":"string"}}},"ingress":{"description":"The ingress based HTTP01 challenge solver will solve challenges by\ncreating or modifying Ingress resources in order to route requests for\n'/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are\nprovisioned by cert-manager for each Challenge to be completed.","type":"object","properties":{"class":{"description":"This field configures the annotation `kubernetes.io/ingress.class` when\ncreating Ingress resources to solve ACME challenges that use this\nchallenge solver. Only one of `class`, `name` or `ingressClassName` may\nbe specified.","type":"string"},"ingressClassName":{"description":"This field configures the field `ingressClassName` on the created Ingress\nresources used to solve ACME challenges that use this challenge solver.\nThis is the recommended way of configuring the ingress class. Only one of\n`class`, `name` or `ingressClassName` may be specified.","type":"string"},"ingressTemplate":{"description":"Optional ingress template used to configure the ACME challenge solver\ningress used for HTTP01 challenges.","type":"object","properties":{"metadata":{"description":"ObjectMeta overrides for the ingress used to solve HTTP01 challenges.\nOnly the 'labels' and 'annotations' fields may be set.\nIf labels or annotations overlap with in-built values, the values here\nwill override the in-built values.","type":"object","properties":{"annotations":{"description":"Annotations that should be added to the created ACME HTTP01 solver ingress.","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"Labels that should be added to the created ACME HTTP01 solver ingress.","type":"object","additionalProperties":{"type":"string"}}}}}},"name":{"description":"The name of the ingress resource that should have ACME challenge solving\nroutes inserted into it in order to solve HTTP01 challenges.\nThis is typically used in conjunction with ingress controllers like\ningress-gce, which maintains a 1:1 mapping between external IPs and\ningress resources. Only one of `class`, `name` or `ingressClassName` may\nbe specified.","type":"string"},"podTemplate":{"description":"Optional pod template used to configure the ACME challenge solver pods\nused for HTTP01 challenges.","type":"object","properties":{"metadata":{"description":"ObjectMeta overrides for the pod used to solve HTTP01 challenges.\nOnly the 'labels' and 'annotations' fields may be set.\nIf labels or annotations overlap with in-built values, the values here\nwill override the in-built values.","type":"object","properties":{"annotations":{"description":"Annotations that should be added to the created ACME HTTP01 solver pods.","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"Labels that should be added to the created ACME HTTP01 solver pods.","type":"object","additionalProperties":{"type":"string"}}}},"spec":{"description":"PodSpec defines overrides for the HTTP01 challenge solver pod.\nCheck ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.\nAll other fields will be ignored.","type":"object","properties":{"affinity":{"description":"If specified, the pod's scheduling constraints","type":"object","properties":{"nodeAffinity":{"description":"Describes node affinity scheduling rules for the pod.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node matches the corresponding matchExpressions; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"An empty preferred scheduling term matches all objects with implicit weight 0\n(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).","type":"object","required":["preference","weight"],"properties":{"preference":{"description":"A node selector term, associated with the corresponding weight.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"description":"Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to an update), the system\nmay or may not try to eventually evict the pod from its node.","type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"description":"Required. A list of node selector terms. The terms are ORed.","type":"array","items":{"description":"A null or empty node selector term matches no objects. The requirements of\nthem are ANDed.\nThe TopologySelectorTerm type implements a subset of the NodeSelectorTerm.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"description":"Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"description":"Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe anti-affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling anti-affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the anti-affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the anti-affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"imagePullSecrets":{"description":"If specified, the pod's imagePullSecrets","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"nodeSelector":{"description":"NodeSelector is a selector which must be true for the pod to fit on a node.\nSelector which must match a node's labels for the pod to be scheduled on that node.\nMore info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/","type":"object","additionalProperties":{"type":"string"}},"priorityClassName":{"description":"If specified, the pod's priorityClassName.","type":"string"},"securityContext":{"description":"If specified, the pod's security context","type":"object","properties":{"fsGroup":{"description":"A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"fsGroupChangePolicy":{"description":"fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in SecurityContext.  If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"supplementalGroups":{"description":"A list of groups applied to the first process run in each container, in addition\nto the container's primary GID, the fsGroup (if specified), and group memberships\ndefined in the container image for the uid of the container process. If unspecified,\nno additional groups are added to any container. Note that group memberships\ndefined in the container image for the uid of the container process are still effective,\neven if they are not included in this list.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"type":"integer","format":"int64"}},"sysctls":{"description":"Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"description":"Sysctl defines a kernel parameter to be set","type":"object","required":["name","value"],"properties":{"name":{"description":"Name of a property to set","type":"string"},"value":{"description":"Value of a property to set","type":"string"}}}}}},"serviceAccountName":{"description":"If specified, the pod's service account","type":"string"},"tolerations":{"description":"If specified, the pod's tolerations.","type":"array","items":{"description":"The pod this Toleration is attached to tolerates any taint that matches\nthe triple <key,value,effect> using the matching operator <operator>.","type":"object","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.","type":"string"},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.","type":"string"},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.","type":"integer","format":"int64"},"value":{"description":"Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.","type":"string"}}}}}}}},"serviceType":{"description":"Optional service type for Kubernetes solver service. Supported values\nare NodePort or ClusterIP. If unset, defaults to NodePort.","type":"string"}}}}},"selector":{"description":"Selector selects a set of DNSNames on the Certificate resource that\nshould be solved using this challenge solver.\nIf not specified, the solver will be treated as the 'default' solver\nwith the lowest priority, i.e. if any other solver has a more specific\nmatch, it will be used instead.","type":"object","properties":{"dnsNames":{"description":"List of DNSNames that this solver will be used to solve.\nIf specified and a match is found, a dnsNames selector will take\nprecedence over a dnsZones selector.\nIf multiple solvers match with the same dnsNames value, the solver\nwith the most matching labels in matchLabels will be selected.\nIf neither has more matches, the solver defined earlier in the list\nwill be selected.","type":"array","items":{"type":"string"}},"dnsZones":{"description":"List of DNSZones that this solver will be used to solve.\nThe most specific DNS zone match specified here will take precedence\nover other DNS zone matches, so a solver specifying sys.example.com\nwill be selected over one specifying example.com for the domain\nwww.sys.example.com.\nIf multiple solvers match with the same dnsZones value, the solver\nwith the most matching labels in matchLabels will be selected.\nIf neither has more matches, the solver defined earlier in the list\nwill be selected.","type":"array","items":{"type":"string"}},"matchLabels":{"description":"A label selector that is used to refine the set of certificate's that\nthis challenge solver will apply to.","type":"object","additionalProperties":{"type":"string"}}}}}},"token":{"description":"The ACME challenge token for this challenge.\nThis is the raw value returned from the ACME server.","type":"string"},"type":{"description":"The type of ACME challenge this resource represents.\nOne of \"HTTP-01\" or \"DNS-01\".","type":"string","enum":["HTTP-01","DNS-01"]},"url":{"description":"The URL of the ACME Challenge resource for this challenge.\nThis can be used to lookup details about the status of this challenge.","type":"string"},"wildcard":{"description":"wildcard will be true if this challenge is for a wildcard identifier,\nfor example '*.example.com'.","type":"boolean"}}},"status":{"type":"object","properties":{"presented":{"description":"presented will be set to true if the challenge values for this challenge\nare currently 'presented'.\nThis *does not* imply the self check is passing. Only that the values\nhave been 'submitted' for the appropriate challenge mechanism (i.e. the\nDNS01 TXT record has been presented, or the HTTP01 configuration has been\nconfigured).","type":"boolean"},"processing":{"description":"Used to denote whether this challenge should be processed or not.\nThis field will only be set to true by the 'scheduling' component.\nIt will only be set to false by the 'challenges' controller, after the\nchallenge has reached a final state or timed out.\nIf this field is set to false, the challenge controller will not take\nany more action.","type":"boolean"},"reason":{"description":"Contains human readable information on why the Challenge is in the\ncurrent state.","type":"string"},"state":{"description":"Contains the current 'state' of the challenge.\nIf not set, the state of the challenge is unknown.","type":"string","enum":["valid","ready","pending","processing","invalid","expired","errored"]}}}},"x-kubernetes-group-version-kind":[{"group":"acme.cert-manager.io","kind":"Challenge","version":"v1"}],"title":"io.cert-manager.acme.v1.Challenge"},"io.cert-manager.acme.v1.ChallengeList":{"description":"ChallengeList is a list of Challenge","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of challenges. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.cert-manager.acme.v1.Challenge"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"acme.cert-manager.io","kind":"ChallengeList","version":"v1"}],"title":"io.cert-manager.acme.v1.ChallengeList"},"io.cert-manager.acme.v1.Order":{"description":"Order is a type to represent an Order with an ACME server","type":"object","required":["metadata","spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["issuerRef","request"],"properties":{"commonName":{"description":"CommonName is the common name as specified on the DER encoded CSR.\nIf specified, this value must also be present in `dnsNames` or `ipAddresses`.\nThis field must match the corresponding field on the DER encoded CSR.","type":"string"},"dnsNames":{"description":"DNSNames is a list of DNS names that should be included as part of the Order\nvalidation process.\nThis field must match the corresponding field on the DER encoded CSR.","type":"array","items":{"type":"string"}},"duration":{"description":"Duration is the duration for the not after date for the requested certificate.\nthis is set on order creation as pe the ACME spec.","type":"string"},"ipAddresses":{"description":"IPAddresses is a list of IP addresses that should be included as part of the Order\nvalidation process.\nThis field must match the corresponding field on the DER encoded CSR.","type":"array","items":{"type":"string"}},"issuerRef":{"description":"IssuerRef references a properly configured ACME-type Issuer which should\nbe used to create this Order.\nIf the Issuer does not exist, processing will be retried.\nIf the Issuer is not an 'ACME' Issuer, an error will be returned and the\nOrder will be marked as failed.","type":"object","required":["name"],"properties":{"group":{"description":"Group of the resource being referred to.","type":"string"},"kind":{"description":"Kind of the resource being referred to.","type":"string"},"name":{"description":"Name of the resource being referred to.","type":"string"}}},"request":{"description":"Certificate signing request bytes in DER encoding.\nThis will be used when finalizing the order.\nThis field must be set on the order.","type":"string","format":"byte"}}},"status":{"type":"object","properties":{"authorizations":{"description":"Authorizations contains data returned from the ACME server on what\nauthorizations must be completed in order to validate the DNS names\nspecified on the Order.","type":"array","items":{"description":"ACMEAuthorization contains data returned from the ACME server on an\nauthorization that must be completed in order validate a DNS name on an ACME\nOrder resource.","type":"object","required":["url"],"properties":{"challenges":{"description":"Challenges specifies the challenge types offered by the ACME server.\nOne of these challenge types will be selected when validating the DNS\nname and an appropriate Challenge resource will be created to perform\nthe ACME challenge process.","type":"array","items":{"description":"Challenge specifies a challenge offered by the ACME server for an Order.\nAn appropriate Challenge resource can be created to perform the ACME\nchallenge process.","type":"object","required":["token","type","url"],"properties":{"token":{"description":"Token is the token that must be presented for this challenge.\nThis is used to compute the 'key' that must also be presented.","type":"string"},"type":{"description":"Type is the type of challenge being offered, e.g. 'http-01', 'dns-01',\n'tls-sni-01', etc.\nThis is the raw value retrieved from the ACME server.\nOnly 'http-01' and 'dns-01' are supported by cert-manager, other values\nwill be ignored.","type":"string"},"url":{"description":"URL is the URL of this challenge. It can be used to retrieve additional\nmetadata about the Challenge from the ACME server.","type":"string"}}}},"identifier":{"description":"Identifier is the DNS name to be validated as part of this authorization","type":"string"},"initialState":{"description":"InitialState is the initial state of the ACME authorization when first\nfetched from the ACME server.\nIf an Authorization is already 'valid', the Order controller will not\ncreate a Challenge resource for the authorization. This will occur when\nworking with an ACME server that enables 'authz reuse' (such as Let's\nEncrypt's production endpoint).\nIf not set and 'identifier' is set, the state is assumed to be pending\nand a Challenge will be created.","type":"string","enum":["valid","ready","pending","processing","invalid","expired","errored"]},"url":{"description":"URL is the URL of the Authorization that must be completed","type":"string"},"wildcard":{"description":"Wildcard will be true if this authorization is for a wildcard DNS name.\nIf this is true, the identifier will be the *non-wildcard* version of\nthe DNS name.\nFor example, if '*.example.com' is the DNS name being validated, this\nfield will be 'true' and the 'identifier' field will be 'example.com'.","type":"boolean"}}}},"certificate":{"description":"Certificate is a copy of the PEM encoded certificate for this Order.\nThis field will be populated after the order has been successfully\nfinalized with the ACME server, and the order has transitioned to the\n'valid' state.","type":"string","format":"byte"},"failureTime":{"description":"FailureTime stores the time that this order failed.\nThis is used to influence garbage collection and back-off.","type":"string","format":"date-time"},"finalizeURL":{"description":"FinalizeURL of the Order.\nThis is used to obtain certificates for this order once it has been completed.","type":"string"},"reason":{"description":"Reason optionally provides more information about a why the order is in\nthe current state.","type":"string"},"state":{"description":"State contains the current state of this Order resource.\nStates 'success' and 'expired' are 'final'","type":"string","enum":["valid","ready","pending","processing","invalid","expired","errored"]},"url":{"description":"URL of the Order.\nThis will initially be empty when the resource is first created.\nThe Order controller will populate this field when the Order is first processed.\nThis field will be immutable after it is initially set.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"acme.cert-manager.io","kind":"Order","version":"v1"}],"title":"io.cert-manager.acme.v1.Order"},"io.cert-manager.acme.v1.OrderList":{"description":"OrderList is a list of Order","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of orders. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.cert-manager.acme.v1.Order"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"acme.cert-manager.io","kind":"OrderList","version":"v1"}],"title":"io.cert-manager.acme.v1.OrderList"},"io.cert-manager.v1.Certificate":{"description":"A Certificate resource should be created to ensure an up to date and signed\nX.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.\n\nThe stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired state of the Certificate resource.\nhttps://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","required":["issuerRef","secretName"],"properties":{"additionalOutputFormats":{"description":"Defines extra output formats of the private key and signed certificate chain\nto be written to this Certificate's target Secret.\n\nThis is a Beta Feature enabled by default. It can be disabled with the\n`--feature-gates=AdditionalCertificateOutputFormats=false` option set on both\nthe controller and webhook components.","type":"array","items":{"description":"CertificateAdditionalOutputFormat defines an additional output format of a\nCertificate resource. These contain supplementary data formats of the signed\ncertificate chain and paired private key.","type":"object","required":["type"],"properties":{"type":{"description":"Type is the name of the format type that should be written to the\nCertificate's target Secret.","type":"string","enum":["DER","CombinedPEM"]}}}},"commonName":{"description":"Requested common name X509 certificate subject attribute.\nMore info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6\nNOTE: TLS clients will ignore this value when any subject alternative name is\nset (see https://tools.ietf.org/html/rfc6125#section-6.4.4).\n\nShould have a length of 64 characters or fewer to avoid generating invalid CSRs.\nCannot be set if the `literalSubject` field is set.","type":"string"},"dnsNames":{"description":"Requested DNS subject alternative names.","type":"array","items":{"type":"string"}},"duration":{"description":"Requested 'duration' (i.e. lifetime) of the Certificate. Note that the\nissuer may choose to ignore the requested duration, just like any other\nrequested attribute.\n\nIf unset, this defaults to 90 days.\nMinimum accepted duration is 1 hour.\nValue must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.","type":"string"},"emailAddresses":{"description":"Requested email subject alternative names.","type":"array","items":{"type":"string"}},"encodeUsagesInRequest":{"description":"Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.\n\nThis option defaults to true, and should only be disabled if the target\nissuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.","type":"boolean"},"ipAddresses":{"description":"Requested IP address subject alternative names.","type":"array","items":{"type":"string"}},"isCA":{"description":"Requested basic constraints isCA value.\nThe isCA value is used to set the `isCA` field on the created CertificateRequest\nresources. Note that the issuer may choose to ignore the requested isCA value, just\nlike any other requested attribute.\n\nIf true, this will automatically add the `cert sign` usage to the list\nof requested `usages`.","type":"boolean"},"issuerRef":{"description":"Reference to the issuer responsible for issuing the certificate.\nIf the issuer is namespace-scoped, it must be in the same namespace\nas the Certificate. If the issuer is cluster-scoped, it can be used\nfrom any namespace.\n\nThe `name` field of the reference must always be specified.","type":"object","required":["name"],"properties":{"group":{"description":"Group of the resource being referred to.","type":"string"},"kind":{"description":"Kind of the resource being referred to.","type":"string"},"name":{"description":"Name of the resource being referred to.","type":"string"}}},"keystores":{"description":"Additional keystore output formats to be stored in the Certificate's Secret.","type":"object","properties":{"jks":{"description":"JKS configures options for storing a JKS keystore in the\n`spec.secretName` Secret resource.","type":"object","required":["create"],"properties":{"alias":{"description":"Alias specifies the alias of the key in the keystore, required by the JKS format.\nIf not provided, the default alias `certificate` will be used.","type":"string"},"create":{"description":"Create enables JKS keystore creation for the Certificate.\nIf true, a file named `keystore.jks` will be created in the target\nSecret resource, encrypted using the password stored in\n`passwordSecretRef` or `password`.\nThe keystore file will be updated immediately.\nIf the issuer provided a CA certificate, a file named `truststore.jks`\nwill also be created in the target Secret resource, encrypted using the\npassword stored in `passwordSecretRef`\ncontaining the issuing Certificate Authority","type":"boolean"},"password":{"description":"Password provides a literal password used to encrypt the JKS keystore.\nMutually exclusive with passwordSecretRef.\nOne of password or passwordSecretRef must provide a password with a non-zero length.","type":"string"},"passwordSecretRef":{"description":"PasswordSecretRef is a reference to a non-empty key in a Secret resource\ncontaining the password used to encrypt the JKS keystore.\nMutually exclusive with password.\nOne of password or passwordSecretRef must provide a password with a non-zero length.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"pkcs12":{"description":"PKCS12 configures options for storing a PKCS12 keystore in the\n`spec.secretName` Secret resource.","type":"object","required":["create"],"properties":{"create":{"description":"Create enables PKCS12 keystore creation for the Certificate.\nIf true, a file named `keystore.p12` will be created in the target\nSecret resource, encrypted using the password stored in\n`passwordSecretRef` or in `password`.\nThe keystore file will be updated immediately.\nIf the issuer provided a CA certificate, a file named `truststore.p12` will\nalso be created in the target Secret resource, encrypted using the\npassword stored in `passwordSecretRef` containing the issuing Certificate\nAuthority","type":"boolean"},"password":{"description":"Password provides a literal password used to encrypt the PKCS#12 keystore.\nMutually exclusive with passwordSecretRef.\nOne of password or passwordSecretRef must provide a password with a non-zero length.","type":"string"},"passwordSecretRef":{"description":"PasswordSecretRef is a reference to a non-empty key in a Secret resource\ncontaining the password used to encrypt the PKCS#12 keystore.\nMutually exclusive with password.\nOne of password or passwordSecretRef must provide a password with a non-zero length.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"profile":{"description":"Profile specifies the key and certificate encryption algorithms and the HMAC algorithm\nused to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.\n\nIf provided, allowed values are:\n`LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.\n`LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.\n`Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms\n(eg. because of company policy). Please note that the security of the algorithm is not that important\nin reality, because the unencrypted certificate and private key are also stored in the Secret.","type":"string","enum":["LegacyRC2","LegacyDES","Modern2023"]}}}}},"literalSubject":{"description":"Requested X.509 certificate subject, represented using the LDAP \"String\nRepresentation of a Distinguished Name\" [1].\nImportant: the LDAP string format also specifies the order of the attributes\nin the subject, this is important when issuing certs for LDAP authentication.\nExample: `CN=foo,DC=corp,DC=example,DC=com`\nMore info [1]: https://datatracker.ietf.org/doc/html/rfc4514\nMore info: https://github.com/cert-manager/cert-manager/issues/3203\nMore info: https://github.com/cert-manager/cert-manager/issues/4424\n\nCannot be set if the `subject` or `commonName` field is set.","type":"string"},"nameConstraints":{"description":"x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.\nMore Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10\n\nThis is an Alpha Feature and is only enabled with the\n`--feature-gates=NameConstraints=true` option set on both\nthe controller and webhook components.","type":"object","properties":{"critical":{"description":"if true then the name constraints are marked critical.","type":"boolean"},"excluded":{"description":"Excluded contains the constraints which must be disallowed. Any name matching a\nrestriction in the excluded field is invalid regardless\nof information appearing in the permitted","type":"object","properties":{"dnsDomains":{"description":"DNSDomains is a list of DNS domains that are permitted or excluded.","type":"array","items":{"type":"string"}},"emailAddresses":{"description":"EmailAddresses is a list of Email Addresses that are permitted or excluded.","type":"array","items":{"type":"string"}},"ipRanges":{"description":"IPRanges is a list of IP Ranges that are permitted or excluded.\nThis should be a valid CIDR notation.","type":"array","items":{"type":"string"}},"uriDomains":{"description":"URIDomains is a list of URI domains that are permitted or excluded.","type":"array","items":{"type":"string"}}}},"permitted":{"description":"Permitted contains the constraints in which the names must be located.","type":"object","properties":{"dnsDomains":{"description":"DNSDomains is a list of DNS domains that are permitted or excluded.","type":"array","items":{"type":"string"}},"emailAddresses":{"description":"EmailAddresses is a list of Email Addresses that are permitted or excluded.","type":"array","items":{"type":"string"}},"ipRanges":{"description":"IPRanges is a list of IP Ranges that are permitted or excluded.\nThis should be a valid CIDR notation.","type":"array","items":{"type":"string"}},"uriDomains":{"description":"URIDomains is a list of URI domains that are permitted or excluded.","type":"array","items":{"type":"string"}}}}}},"otherNames":{"description":"`otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37\nAny UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.\nMost commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3\nYou should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.","type":"array","items":{"type":"object","properties":{"oid":{"description":"OID is the object identifier for the otherName SAN.\nThe object identifier must be expressed as a dotted string, for\nexample, \"1.2.840.113556.1.4.221\".","type":"string"},"utf8Value":{"description":"utf8Value is the string value of the otherName SAN.\nThe utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.","type":"string"}}}},"privateKey":{"description":"Private key options. These include the key algorithm and size, the used\nencoding and the rotation policy.","type":"object","properties":{"algorithm":{"description":"Algorithm is the private key algorithm of the corresponding private key\nfor this certificate.\n\nIf provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.\nIf `algorithm` is specified and `size` is not provided,\nkey size of 2048 will be used for `RSA` key algorithm and\nkey size of 256 will be used for `ECDSA` key algorithm.\nkey size is ignored when using the `Ed25519` key algorithm.","type":"string","enum":["RSA","ECDSA","Ed25519"]},"encoding":{"description":"The private key cryptography standards (PKCS) encoding for this\ncertificate's private key to be encoded in.\n\nIf provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1\nand PKCS#8, respectively.\nDefaults to `PKCS1` if not specified.","type":"string","enum":["PKCS1","PKCS8"]},"rotationPolicy":{"description":"RotationPolicy controls how private keys should be regenerated when a\nre-issuance is being processed.\n\nIf set to `Never`, a private key will only be generated if one does not\nalready exist in the target `spec.secretName`. If one does exist but it\ndoes not have the correct algorithm or size, a warning will be raised\nto await user intervention.\nIf set to `Always`, a private key matching the specified requirements\nwill be generated whenever a re-issuance occurs.\nDefault is `Never` for backward compatibility.","type":"string","enum":["Never","Always"]},"size":{"description":"Size is the key bit size of the corresponding private key for this certificate.\n\nIf `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,\nand will default to `2048` if not specified.\nIf `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,\nand will default to `256` if not specified.\nIf `algorithm` is set to `Ed25519`, Size is ignored.\nNo other values are allowed.","type":"integer"}}},"renewBefore":{"description":"How long before the currently issued certificate's expiry cert-manager should\nrenew the certificate. For example, if a certificate is valid for 60 minutes,\nand `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate\n50 minutes after it was issued (i.e. when there are 10 minutes remaining until\nthe certificate is no longer valid).\n\nNOTE: The actual lifetime of the issued certificate is used to determine the\nrenewal time. If an issuer returns a certificate with a different lifetime than\nthe one requested, cert-manager will use the lifetime of the issued certificate.\n\nIf unset, this defaults to 1/3 of the issued certificate's lifetime.\nMinimum accepted value is 5 minutes.\nValue must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.\nCannot be set if the `renewBeforePercentage` field is set.","type":"string"},"renewBeforePercentage":{"description":"`renewBeforePercentage` is like `renewBefore`, except it is a relative percentage\nrather than an absolute duration. For example, if a certificate is valid for 60\nminutes, and  `renewBeforePercentage=25`, cert-manager will begin to attempt to\nrenew the certificate 45 minutes after it was issued (i.e. when there are 15\nminutes (25%) remaining until the certificate is no longer valid).\n\nNOTE: The actual lifetime of the issued certificate is used to determine the\nrenewal time. If an issuer returns a certificate with a different lifetime than\nthe one requested, cert-manager will use the lifetime of the issued certificate.\n\nValue must be an integer in the range (0,100). The minimum effective\n`renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5\nminutes.\nCannot be set if the `renewBefore` field is set.","type":"integer","format":"int32"},"revisionHistoryLimit":{"description":"The maximum number of CertificateRequest revisions that are maintained in\nthe Certificate's history. Each revision represents a single `CertificateRequest`\ncreated by this Certificate, either when it was created, renewed, or Spec\nwas changed. Revisions will be removed by oldest first if the number of\nrevisions exceeds this number.\n\nIf set, revisionHistoryLimit must be a value of `1` or greater.\nIf unset (`nil`), revisions will not be garbage collected.\nDefault value is `nil`.","type":"integer","format":"int32"},"secretName":{"description":"Name of the Secret resource that will be automatically created and\nmanaged by this Certificate resource. It will be populated with a\nprivate key and certificate, signed by the denoted issuer. The Secret\nresource lives in the same namespace as the Certificate resource.","type":"string"},"secretTemplate":{"description":"Defines annotations and labels to be copied to the Certificate's Secret.\nLabels and annotations on the Secret will be changed as they appear on the\nSecretTemplate when added or removed. SecretTemplate annotations are added\nin conjunction with, and cannot overwrite, the base set of annotations\ncert-manager sets on the Certificate's Secret.","type":"object","properties":{"annotations":{"description":"Annotations is a key value map to be copied to the target Kubernetes Secret.","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"Labels is a key value map to be copied to the target Kubernetes Secret.","type":"object","additionalProperties":{"type":"string"}}}},"subject":{"description":"Requested set of X509 certificate subject attributes.\nMore info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6\n\nThe common name attribute is specified separately in the `commonName` field.\nCannot be set if the `literalSubject` field is set.","type":"object","properties":{"countries":{"description":"Countries to be used on the Certificate.","type":"array","items":{"type":"string"}},"localities":{"description":"Cities to be used on the Certificate.","type":"array","items":{"type":"string"}},"organizationalUnits":{"description":"Organizational Units to be used on the Certificate.","type":"array","items":{"type":"string"}},"organizations":{"description":"Organizations to be used on the Certificate.","type":"array","items":{"type":"string"}},"postalCodes":{"description":"Postal codes to be used on the Certificate.","type":"array","items":{"type":"string"}},"provinces":{"description":"State/Provinces to be used on the Certificate.","type":"array","items":{"type":"string"}},"serialNumber":{"description":"Serial number to be used on the Certificate.","type":"string"},"streetAddresses":{"description":"Street addresses to be used on the Certificate.","type":"array","items":{"type":"string"}}}},"uris":{"description":"Requested URI subject alternative names.","type":"array","items":{"type":"string"}},"usages":{"description":"Requested key usages and extended key usages.\nThese usages are used to set the `usages` field on the created CertificateRequest\nresources. If `encodeUsagesInRequest` is unset or set to `true`, the usages\nwill additionally be encoded in the `request` field which contains the CSR blob.\n\nIf unset, defaults to `digital signature` and `key encipherment`.","type":"array","items":{"description":"KeyUsage specifies valid usage contexts for keys.\nSee:\nhttps://tools.ietf.org/html/rfc5280#section-4.2.1.3\nhttps://tools.ietf.org/html/rfc5280#section-4.2.1.12\n\nValid KeyUsage values are as follows:\n\"signing\",\n\"digital signature\",\n\"content commitment\",\n\"key encipherment\",\n\"key agreement\",\n\"data encipherment\",\n\"cert sign\",\n\"crl sign\",\n\"encipher only\",\n\"decipher only\",\n\"any\",\n\"server auth\",\n\"client auth\",\n\"code signing\",\n\"email protection\",\n\"s/mime\",\n\"ipsec end system\",\n\"ipsec tunnel\",\n\"ipsec user\",\n\"timestamping\",\n\"ocsp signing\",\n\"microsoft sgc\",\n\"netscape sgc\"","type":"string","enum":["signing","digital signature","content commitment","key encipherment","key agreement","data encipherment","cert sign","crl sign","encipher only","decipher only","any","server auth","client auth","code signing","email protection","s/mime","ipsec end system","ipsec tunnel","ipsec user","timestamping","ocsp signing","microsoft sgc","netscape sgc"]}}}},"status":{"description":"Status of the Certificate.\nThis is set and managed automatically.\nRead-only.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"conditions":{"description":"List of status conditions to indicate the status of certificates.\nKnown condition types are `Ready` and `Issuing`.","type":"array","items":{"description":"CertificateCondition contains condition information for a Certificate.","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"LastTransitionTime is the timestamp corresponding to the last status\nchange of this condition.","type":"string","format":"date-time"},"message":{"description":"Message is a human readable description of the details of the last\ntransition, complementing reason.","type":"string"},"observedGeneration":{"description":"If set, this represents the .metadata.generation that the condition was\nset based upon.\nFor instance, if .metadata.generation is currently 12, but the\n.status.condition[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the Certificate.","type":"integer","format":"int64"},"reason":{"description":"Reason is a brief machine readable explanation for the condition's last\ntransition.","type":"string"},"status":{"description":"Status of the condition, one of (`True`, `False`, `Unknown`).","type":"string","enum":["True","False","Unknown"]},"type":{"description":"Type of the condition, known values are (`Ready`, `Issuing`).","type":"string"}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"failedIssuanceAttempts":{"description":"The number of continuous failed issuance attempts up till now. This\nfield gets removed (if set) on a successful issuance and gets set to\n1 if unset and an issuance has failed. If an issuance has failed, the\ndelay till the next issuance will be calculated using formula\ntime.Hour * 2 ^ (failedIssuanceAttempts - 1).","type":"integer"},"lastFailureTime":{"description":"LastFailureTime is set only if the latest issuance for this\nCertificate failed and contains the time of the failure. If an\nissuance has failed, the delay till the next issuance will be\ncalculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -\n1). If the latest issuance has succeeded this field will be unset.","type":"string","format":"date-time"},"nextPrivateKeySecretName":{"description":"The name of the Secret resource containing the private key to be used\nfor the next certificate iteration.\nThe keymanager controller will automatically set this field if the\n`Issuing` condition is set to `True`.\nIt will automatically unset this field when the Issuing condition is\nnot set or False.","type":"string"},"notAfter":{"description":"The expiration time of the certificate stored in the secret named\nby this resource in `spec.secretName`.","type":"string","format":"date-time"},"notBefore":{"description":"The time after which the certificate stored in the secret named\nby this resource in `spec.secretName` is valid.","type":"string","format":"date-time"},"renewalTime":{"description":"RenewalTime is the time at which the certificate will be next\nrenewed.\nIf not set, no upcoming renewal is scheduled.","type":"string","format":"date-time"},"revision":{"description":"The current 'revision' of the certificate as issued.\n\nWhen a CertificateRequest resource is created, it will have the\n`cert-manager.io/certificate-revision` set to one greater than the\ncurrent value of this field.\n\nUpon issuance, this field will be set to the value of the annotation\non the CertificateRequest resource used to issue the certificate.\n\nPersisting the value on the CertificateRequest resource allows the\ncertificates controller to know whether a request is part of an old\nissuance or if it is part of the ongoing revision's issuance by\nchecking if the revision value in the annotation is greater than this\nfield.","type":"integer"}}}},"x-kubernetes-group-version-kind":[{"group":"cert-manager.io","kind":"Certificate","version":"v1"}],"title":"io.cert-manager.v1.Certificate"},"io.cert-manager.v1.CertificateList":{"description":"CertificateList is a list of Certificate","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of certificates. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.cert-manager.v1.Certificate"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"cert-manager.io","kind":"CertificateList","version":"v1"}],"title":"io.cert-manager.v1.CertificateList"},"io.cert-manager.v1.CertificateRequest":{"description":"A CertificateRequest is used to request a signed certificate from one of the\nconfigured issuers.\n\nAll fields within the CertificateRequest's `spec` are immutable after creation.\nA CertificateRequest will either succeed or fail, as denoted by its `Ready` status\ncondition and its `status.failureTime` field.\n\nA CertificateRequest is a one-shot resource, meaning it represents a single\npoint in time request for a certificate and cannot be re-used.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired state of the CertificateRequest resource.\nhttps://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","required":["issuerRef","request"],"properties":{"duration":{"description":"Requested 'duration' (i.e. lifetime) of the Certificate. Note that the\nissuer may choose to ignore the requested duration, just like any other\nrequested attribute.","type":"string"},"extra":{"description":"Extra contains extra attributes of the user that created the CertificateRequest.\nPopulated by the cert-manager webhook on creation and immutable.","type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"groups":{"description":"Groups contains group membership of the user that created the CertificateRequest.\nPopulated by the cert-manager webhook on creation and immutable.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"isCA":{"description":"Requested basic constraints isCA value. Note that the issuer may choose\nto ignore the requested isCA value, just like any other requested attribute.\n\nNOTE: If the CSR in the `Request` field has a BasicConstraints extension,\nit must have the same isCA value as specified here.\n\nIf true, this will automatically add the `cert sign` usage to the list\nof requested `usages`.","type":"boolean"},"issuerRef":{"description":"Reference to the issuer responsible for issuing the certificate.\nIf the issuer is namespace-scoped, it must be in the same namespace\nas the Certificate. If the issuer is cluster-scoped, it can be used\nfrom any namespace.\n\nThe `name` field of the reference must always be specified.","type":"object","required":["name"],"properties":{"group":{"description":"Group of the resource being referred to.","type":"string"},"kind":{"description":"Kind of the resource being referred to.","type":"string"},"name":{"description":"Name of the resource being referred to.","type":"string"}}},"request":{"description":"The PEM-encoded X.509 certificate signing request to be submitted to the\nissuer for signing.\n\nIf the CSR has a BasicConstraints extension, its isCA attribute must\nmatch the `isCA` value of this CertificateRequest.\nIf the CSR has a KeyUsage extension, its key usages must match the\nkey usages in the `usages` field of this CertificateRequest.\nIf the CSR has a ExtKeyUsage extension, its extended key usages\nmust match the extended key usages in the `usages` field of this\nCertificateRequest.","type":"string","format":"byte"},"uid":{"description":"UID contains the uid of the user that created the CertificateRequest.\nPopulated by the cert-manager webhook on creation and immutable.","type":"string"},"usages":{"description":"Requested key usages and extended key usages.\n\nNOTE: If the CSR in the `Request` field has uses the KeyUsage or\nExtKeyUsage extension, these extensions must have the same values\nas specified here without any additional values.\n\nIf unset, defaults to `digital signature` and `key encipherment`.","type":"array","items":{"description":"KeyUsage specifies valid usage contexts for keys.\nSee:\nhttps://tools.ietf.org/html/rfc5280#section-4.2.1.3\nhttps://tools.ietf.org/html/rfc5280#section-4.2.1.12\n\nValid KeyUsage values are as follows:\n\"signing\",\n\"digital signature\",\n\"content commitment\",\n\"key encipherment\",\n\"key agreement\",\n\"data encipherment\",\n\"cert sign\",\n\"crl sign\",\n\"encipher only\",\n\"decipher only\",\n\"any\",\n\"server auth\",\n\"client auth\",\n\"code signing\",\n\"email protection\",\n\"s/mime\",\n\"ipsec end system\",\n\"ipsec tunnel\",\n\"ipsec user\",\n\"timestamping\",\n\"ocsp signing\",\n\"microsoft sgc\",\n\"netscape sgc\"","type":"string","enum":["signing","digital signature","content commitment","key encipherment","key agreement","data encipherment","cert sign","crl sign","encipher only","decipher only","any","server auth","client auth","code signing","email protection","s/mime","ipsec end system","ipsec tunnel","ipsec user","timestamping","ocsp signing","microsoft sgc","netscape sgc"]}},"username":{"description":"Username contains the name of the user that created the CertificateRequest.\nPopulated by the cert-manager webhook on creation and immutable.","type":"string"}}},"status":{"description":"Status of the CertificateRequest.\nThis is set and managed automatically.\nRead-only.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"object","properties":{"ca":{"description":"The PEM encoded X.509 certificate of the signer, also known as the CA\n(Certificate Authority).\nThis is set on a best-effort basis by different issuers.\nIf not set, the CA is assumed to be unknown/not available.","type":"string","format":"byte"},"certificate":{"description":"The PEM encoded X.509 certificate resulting from the certificate\nsigning request.\nIf not set, the CertificateRequest has either not been completed or has\nfailed. More information on failure can be found by checking the\n`conditions` field.","type":"string","format":"byte"},"conditions":{"description":"List of status conditions to indicate the status of a CertificateRequest.\nKnown condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.","type":"array","items":{"description":"CertificateRequestCondition contains condition information for a CertificateRequest.","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"LastTransitionTime is the timestamp corresponding to the last status\nchange of this condition.","type":"string","format":"date-time"},"message":{"description":"Message is a human readable description of the details of the last\ntransition, complementing reason.","type":"string"},"reason":{"description":"Reason is a brief machine readable explanation for the condition's last\ntransition.","type":"string"},"status":{"description":"Status of the condition, one of (`True`, `False`, `Unknown`).","type":"string","enum":["True","False","Unknown"]},"type":{"description":"Type of the condition, known values are (`Ready`, `InvalidRequest`,\n`Approved`, `Denied`).","type":"string"}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"failureTime":{"description":"FailureTime stores the time that this CertificateRequest failed. This is\nused to influence garbage collection and back-off.","type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"cert-manager.io","kind":"CertificateRequest","version":"v1"}],"title":"io.cert-manager.v1.CertificateRequest"},"io.cert-manager.v1.CertificateRequestList":{"description":"CertificateRequestList is a list of CertificateRequest","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of certificaterequests. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.cert-manager.v1.CertificateRequest"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"cert-manager.io","kind":"CertificateRequestList","version":"v1"}],"title":"io.cert-manager.v1.CertificateRequestList"},"io.cert-manager.v1.ClusterIssuer":{"description":"A ClusterIssuer represents a certificate issuing authority which can be\nreferenced as part of `issuerRef` fields.\nIt is similar to an Issuer, however it is cluster-scoped and therefore can\nbe referenced by resources that exist in *any* namespace, not just the same\nnamespace as the referent.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Desired state of the ClusterIssuer resource.","type":"object","properties":{"acme":{"description":"ACME configures this issuer to communicate with a RFC8555 (ACME) server\nto obtain signed x509 certificates.","type":"object","required":["privateKeySecretRef","server"],"properties":{"caBundle":{"description":"Base64-encoded bundle of PEM CAs which can be used to validate the certificate\nchain presented by the ACME server.\nMutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various\nkinds of security vulnerabilities.\nIf CABundle and SkipTLSVerify are unset, the system certificate bundle inside\nthe container is used to validate the TLS connection.","type":"string","format":"byte"},"disableAccountKeyGeneration":{"description":"Enables or disables generating a new ACME account key.\nIf true, the Issuer resource will *not* request a new account but will expect\nthe account key to be supplied via an existing secret.\nIf false, the cert-manager system will generate a new ACME account key\nfor the Issuer.\nDefaults to false.","type":"boolean"},"email":{"description":"Email is the email address to be associated with the ACME account.\nThis field is optional, but it is strongly recommended to be set.\nIt will be used to contact you in case of issues with your account or\ncertificates, including expiry notification emails.\nThis field may be updated after the account is initially registered.","type":"string"},"enableDurationFeature":{"description":"Enables requesting a Not After date on certificates that matches the\nduration of the certificate. This is not supported by all ACME servers\nlike Let's Encrypt. If set to true when the ACME server does not support\nit, it will create an error on the Order.\nDefaults to false.","type":"boolean"},"externalAccountBinding":{"description":"ExternalAccountBinding is a reference to a CA external account of the ACME\nserver.\nIf set, upon registration cert-manager will attempt to associate the given\nexternal account credentials with the registered ACME account.","type":"object","required":["keyID","keySecretRef"],"properties":{"keyAlgorithm":{"description":"Deprecated: keyAlgorithm field exists for historical compatibility\nreasons and should not be used. The algorithm is now hardcoded to HS256\nin golang/x/crypto/acme.","type":"string","enum":["HS256","HS384","HS512"]},"keyID":{"description":"keyID is the ID of the CA key that the External Account is bound to.","type":"string"},"keySecretRef":{"description":"keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes\nSecret which holds the symmetric MAC key of the External Account Binding.\nThe `key` is the index string that is paired with the key data in the\nSecret and should not be confused with the key data itself, or indeed with\nthe External Account Binding keyID above.\nThe secret key stored in the Secret **must** be un-padded, base64 URL\nencoded data.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"preferredChain":{"description":"PreferredChain is the chain to use if the ACME server outputs multiple.\nPreferredChain is no guarantee that this one gets delivered by the ACME\nendpoint.\nFor example, for Let's Encrypt's DST crosssign you would use:\n\"DST Root CA X3\" or \"ISRG Root X1\" for the newer Let's Encrypt root CA.\nThis value picks the first certificate bundle in the combined set of\nACME default and alternative chains that has a root-most certificate with\nthis value as its issuer's commonname.","type":"string","maxLength":64},"privateKeySecretRef":{"description":"PrivateKey is the name of a Kubernetes Secret resource that will be used to\nstore the automatically generated ACME account private key.\nOptionally, a `key` may be specified to select a specific entry within\nthe named Secret resource.\nIf `key` is not specified, a default of `tls.key` will be used.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"server":{"description":"Server is the URL used to access the ACME server's 'directory' endpoint.\nFor example, for Let's Encrypt's staging endpoint, you would use:\n\"https://acme-staging-v02.api.letsencrypt.org/directory\".\nOnly ACME v2 endpoints (i.e. RFC 8555) are supported.","type":"string"},"skipTLSVerify":{"description":"INSECURE: Enables or disables validation of the ACME server TLS certificate.\nIf true, requests to the ACME server will not have the TLS certificate chain\nvalidated.\nMutually exclusive with CABundle; prefer using CABundle to prevent various\nkinds of security vulnerabilities.\nOnly enable this option in development environments.\nIf CABundle and SkipTLSVerify are unset, the system certificate bundle inside\nthe container is used to validate the TLS connection.\nDefaults to false.","type":"boolean"},"solvers":{"description":"Solvers is a list of challenge solvers that will be used to solve\nACME challenges for the matching domains.\nSolver configurations must be provided in order to obtain certificates\nfrom an ACME server.\nFor more information, see: https://cert-manager.io/docs/configuration/acme/","type":"array","items":{"description":"An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.\nA selector may be provided to use different solving strategies for different DNS names.\nOnly one of HTTP01 or DNS01 must be provided.","type":"object","properties":{"dns01":{"description":"Configures cert-manager to attempt to complete authorizations by\nperforming the DNS01 challenge flow.","type":"object","properties":{"acmeDNS":{"description":"Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage\nDNS01 challenge records.","type":"object","required":["accountSecretRef","host"],"properties":{"accountSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"host":{"type":"string"}}},"akamai":{"description":"Use the Akamai DNS zone management API to manage DNS01 challenge records.","type":"object","required":["accessTokenSecretRef","clientSecretSecretRef","clientTokenSecretRef","serviceConsumerDomain"],"properties":{"accessTokenSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"clientSecretSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"clientTokenSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"serviceConsumerDomain":{"type":"string"}}},"azureDNS":{"description":"Use the Microsoft Azure DNS API to manage DNS01 challenge records.","type":"object","required":["resourceGroupName","subscriptionID"],"properties":{"clientID":{"description":"Auth: Azure Service Principal:\nThe ClientID of the Azure Service Principal used to authenticate with Azure DNS.\nIf set, ClientSecret and TenantID must also be set.","type":"string"},"clientSecretSecretRef":{"description":"Auth: Azure Service Principal:\nA reference to a Secret containing the password associated with the Service Principal.\nIf set, ClientID and TenantID must also be set.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"environment":{"description":"name of the Azure environment (default AzurePublicCloud)","type":"string","enum":["AzurePublicCloud","AzureChinaCloud","AzureGermanCloud","AzureUSGovernmentCloud"]},"hostedZoneName":{"description":"name of the DNS zone that should be used","type":"string"},"managedIdentity":{"description":"Auth: Azure Workload Identity or Azure Managed Service Identity:\nSettings to enable Azure Workload Identity or Azure Managed Service Identity\nIf set, ClientID, ClientSecret and TenantID must not be set.","type":"object","properties":{"clientID":{"description":"client ID of the managed identity, can not be used at the same time as resourceID","type":"string"},"resourceID":{"description":"resource ID of the managed identity, can not be used at the same time as clientID\nCannot be used for Azure Managed Service Identity","type":"string"},"tenantID":{"description":"tenant ID of the managed identity, can not be used at the same time as resourceID","type":"string"}}},"resourceGroupName":{"description":"resource group the DNS zone is located in","type":"string"},"subscriptionID":{"description":"ID of the Azure subscription","type":"string"},"tenantID":{"description":"Auth: Azure Service Principal:\nThe TenantID of the Azure Service Principal used to authenticate with Azure DNS.\nIf set, ClientID and ClientSecret must also be set.","type":"string"}}},"cloudDNS":{"description":"Use the Google Cloud DNS API to manage DNS01 challenge records.","type":"object","required":["project"],"properties":{"hostedZoneName":{"description":"HostedZoneName is an optional field that tells cert-manager in which\nCloud DNS zone the challenge record has to be created.\nIf left empty cert-manager will automatically choose a zone.","type":"string"},"project":{"type":"string"},"serviceAccountSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"cloudflare":{"description":"Use the Cloudflare API to manage DNS01 challenge records.","type":"object","properties":{"apiKeySecretRef":{"description":"API key to use to authenticate with Cloudflare.\nNote: using an API token to authenticate is now the recommended method\nas it allows greater control of permissions.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"apiTokenSecretRef":{"description":"API token used to authenticate with Cloudflare.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"email":{"description":"Email of the account, only required when using API key based authentication.","type":"string"}}},"cnameStrategy":{"description":"CNAMEStrategy configures how the DNS01 provider should handle CNAME\nrecords when found in DNS zones.","type":"string","enum":["None","Follow"]},"digitalocean":{"description":"Use the DigitalOcean DNS API to manage DNS01 challenge records.","type":"object","required":["tokenSecretRef"],"properties":{"tokenSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"rfc2136":{"description":"Use RFC2136 (\"Dynamic Updates in the Domain Name System\") (https://datatracker.ietf.org/doc/rfc2136/)\nto manage DNS01 challenge records.","type":"object","required":["nameserver"],"properties":{"nameserver":{"description":"The IP address or hostname of an authoritative DNS server supporting\nRFC2136 in the form host:port. If the host is an IPv6 address it must be\nenclosed in square brackets (e.g [2001:db8::1]) ; port is optional.\nThis field is required.","type":"string"},"tsigAlgorithm":{"description":"The TSIG Algorithm configured in the DNS supporting RFC2136. Used only\nwhen ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.\nSupported values are (case-insensitive): ``HMACMD5`` (default),\n``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.","type":"string"},"tsigKeyName":{"description":"The TSIG Key name configured in the DNS.\nIf ``tsigSecretSecretRef`` is defined, this field is required.","type":"string"},"tsigSecretSecretRef":{"description":"The name of the secret containing the TSIG value.\nIf ``tsigKeyName`` is defined, this field is required.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"route53":{"description":"Use the AWS Route53 API to manage DNS01 challenge records.","type":"object","properties":{"accessKeyID":{"description":"The AccessKeyID is used for authentication.\nCannot be set when SecretAccessKeyID is set.\nIf neither the Access Key nor Key ID are set, we fall-back to using env\nvars, shared credentials file or AWS Instance metadata,\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials","type":"string"},"accessKeyIDSecretRef":{"description":"The SecretAccessKey is used for authentication. If set, pull the AWS\naccess key ID from a key within a Kubernetes Secret.\nCannot be set when AccessKeyID is set.\nIf neither the Access Key nor Key ID are set, we fall-back to using env\nvars, shared credentials file or AWS Instance metadata,\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"auth":{"description":"Auth configures how cert-manager authenticates.","type":"object","required":["kubernetes"],"properties":{"kubernetes":{"description":"Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity\nby passing a bound ServiceAccount token.","type":"object","required":["serviceAccountRef"],"properties":{"serviceAccountRef":{"description":"A reference to a service account that will be used to request a bound\ntoken (also known as \"projected token\"). To use this field, you must\nconfigure an RBAC rule to let cert-manager request a token.","type":"object","required":["name"],"properties":{"audiences":{"description":"TokenAudiences is an optional list of audiences to include in the\ntoken passed to AWS. The default token consisting of the issuer's namespace\nand name is always included.\nIf unset the audience defaults to `sts.amazonaws.com`.","type":"array","items":{"type":"string"}},"name":{"description":"Name of the ServiceAccount used to request a token.","type":"string"}}}}}}},"hostedZoneID":{"description":"If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.","type":"string"},"region":{"description":"Override the AWS region.\n\nRoute53 is a global service and does not have regional endpoints but the\nregion specified here (or via environment variables) is used as a hint to\nhelp compute the correct AWS credential scope and partition when it\nconnects to Route53. See:\n- [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)\n- [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)\n\nIf you omit this region field, cert-manager will use the region from\nAWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set\nin the cert-manager controller Pod.\n\nThe `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).\nInstead an AWS_REGION environment variable is added to the cert-manager controller Pod by:\n[Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).\nIn this case this `region` field value is ignored.\n\nThe `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).\nInstead an AWS_REGION environment variable is added to the cert-manager controller Pod by:\n[Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),\nIn this case this `region` field value is ignored.","type":"string"},"role":{"description":"Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey\nor the inferred credentials from environment variables, shared credentials file or AWS Instance metadata","type":"string"},"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication.\nIf neither the Access Key nor Key ID are set, we fall-back to using env\nvars, shared credentials file or AWS Instance metadata,\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"webhook":{"description":"Configure an external webhook based DNS01 challenge solver to manage\nDNS01 challenge records.","type":"object","required":["groupName","solverName"],"properties":{"config":{"description":"Additional configuration that should be passed to the webhook apiserver\nwhen challenges are processed.\nThis can contain arbitrary JSON data.\nSecret values should not be specified in this stanza.\nIf secret values are needed (e.g. credentials for a DNS service), you\nshould use a SecretKeySelector to reference a Secret resource.\nFor details on the schema of this field, consult the webhook provider\nimplementation's documentation.","x-kubernetes-preserve-unknown-fields":true},"groupName":{"description":"The API group name that should be used when POSTing ChallengePayload\nresources to the webhook apiserver.\nThis should be the same as the GroupName specified in the webhook\nprovider implementation.","type":"string"},"solverName":{"description":"The name of the solver to use, as defined in the webhook provider\nimplementation.\nThis will typically be the name of the provider, e.g. 'cloudflare'.","type":"string"}}}}},"http01":{"description":"Configures cert-manager to attempt to complete authorizations by\nperforming the HTTP01 challenge flow.\nIt is not possible to obtain certificates for wildcard domain names\n(e.g. `*.example.com`) using the HTTP01 challenge mechanism.","type":"object","properties":{"gatewayHTTPRoute":{"description":"The Gateway API is a sig-network community API that models service networking\nin Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will\ncreate HTTPRoutes with the specified labels in the same namespace as the challenge.\nThis solver is experimental, and fields / behaviour may change in the future.","type":"object","properties":{"labels":{"description":"Custom labels that will be applied to HTTPRoutes created by cert-manager\nwhile solving HTTP-01 challenges.","type":"object","additionalProperties":{"type":"string"}},"parentRefs":{"description":"When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.\ncert-manager needs to know which parentRefs should be used when creating\nthe HTTPRoute. Usually, the parentRef references a Gateway. See:\nhttps://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways","type":"array","items":{"description":"ParentReference identifies an API object (usually a Gateway) that can be considered\na parent of this resource (usually a route). There are two kinds of parent resources\nwith \"Core\" support:\n\n* Gateway (Gateway conformance profile)\n* Service (Mesh conformance profile, ClusterIP Services only)\n\nThis API may be extended in the future to support additional kinds of parent\nresources.\n\nThe API object must be valid in the cluster; the Group and Kind must\nbe registered in the cluster for this reference to be valid.","type":"object","required":["name"],"properties":{"group":{"description":"Group is the group of the referent.\nWhen unspecified, \"gateway.networking.k8s.io\" is inferred.\nTo set the core API group (such as for a \"Service\" kind referent),\nGroup must be explicitly set to \"\" (empty string).\n\nSupport: Core","type":"string","maxLength":253,"pattern":"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"},"kind":{"description":"Kind is kind of the referent.\n\nThere are two kinds of parent resources with \"Core\" support:\n\n* Gateway (Gateway conformance profile)\n* Service (Mesh conformance profile, ClusterIP Services only)\n\nSupport for other resources is Implementation-Specific.","type":"string","maxLength":63,"minLength":1,"pattern":"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$"},"name":{"description":"Name is the name of the referent.\n\nSupport: Core","type":"string","maxLength":253,"minLength":1},"namespace":{"description":"Namespace is the namespace of the referent. When unspecified, this refers\nto the local namespace of the Route.\n\nNote that there are specific rules for ParentRefs which cross namespace\nboundaries. Cross-namespace references are only valid if they are explicitly\nallowed by something in the namespace they are referring to. For example:\nGateway has the AllowedRoutes field, and ReferenceGrant provides a\ngeneric way to enable any other kind of cross-namespace reference.\n\n<gateway:experimental:description>\nParentRefs from a Route to a Service in the same namespace are \"producer\"\nroutes, which apply default routing rules to inbound connections from\nany namespace to the Service.\n\nParentRefs from a Route to a Service in a different namespace are\n\"consumer\" routes, and these routing rules are only applied to outbound\nconnections originating from the same namespace as the Route, for which\nthe intended destination of the connections are a Service targeted as a\nParentRef of the Route.\n</gateway:experimental:description>\n\nSupport: Core","type":"string","maxLength":63,"minLength":1,"pattern":"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$"},"port":{"description":"Port is the network port this Route targets. It can be interpreted\ndifferently based on the type of parent resource.\n\nWhen the parent resource is a Gateway, this targets all listeners\nlistening on the specified port that also support this kind of Route(and\nselect this Route). It's not recommended to set `Port` unless the\nnetworking behaviors specified in a Route must apply to a specific port\nas opposed to a listener(s) whose port(s) may be changed. When both Port\nand SectionName are specified, the name and port of the selected listener\nmust match both specified values.\n\n<gateway:experimental:description>\nWhen the parent resource is a Service, this targets a specific port in the\nService spec. When both Port (experimental) and SectionName are specified,\nthe name and port of the selected port must match both specified values.\n</gateway:experimental:description>\n\nImplementations MAY choose to support other parent resources.\nImplementations supporting other types of parent resources MUST clearly\ndocument how/if Port is interpreted.\n\nFor the purpose of status, an attachment is considered successful as\nlong as the parent resource accepts it partially. For example, Gateway\nlisteners can restrict which Routes can attach to them by Route kind,\nnamespace, or hostname. If 1 of 2 Gateway listeners accept attachment\nfrom the referencing Route, the Route MUST be considered successfully\nattached. If no Gateway listeners accept attachment from this Route,\nthe Route MUST be considered detached from the Gateway.\n\nSupport: Extended","type":"integer","format":"int32","maximum":65535,"minimum":1},"sectionName":{"description":"SectionName is the name of a section within the target resource. In the\nfollowing resources, SectionName is interpreted as the following:\n\n* Gateway: Listener name. When both Port (experimental) and SectionName\nare specified, the name and port of the selected listener must match\nboth specified values.\n* Service: Port name. When both Port (experimental) and SectionName\nare specified, the name and port of the selected listener must match\nboth specified values.\n\nImplementations MAY choose to support attaching Routes to other resources.\nIf that is the case, they MUST clearly document how SectionName is\ninterpreted.\n\nWhen unspecified (empty string), this will reference the entire resource.\nFor the purpose of status, an attachment is considered successful if at\nleast one section in the parent resource accepts it. For example, Gateway\nlisteners can restrict which Routes can attach to them by Route kind,\nnamespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\nthe referencing Route, the Route MUST be considered successfully\nattached. If no Gateway listeners accept attachment from this Route, the\nRoute MUST be considered detached from the Gateway.\n\nSupport: Core","type":"string","maxLength":253,"minLength":1,"pattern":"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"}}}},"podTemplate":{"description":"Optional pod template used to configure the ACME challenge solver pods\nused for HTTP01 challenges.","type":"object","properties":{"metadata":{"description":"ObjectMeta overrides for the pod used to solve HTTP01 challenges.\nOnly the 'labels' and 'annotations' fields may be set.\nIf labels or annotations overlap with in-built values, the values here\nwill override the in-built values.","type":"object","properties":{"annotations":{"description":"Annotations that should be added to the created ACME HTTP01 solver pods.","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"Labels that should be added to the created ACME HTTP01 solver pods.","type":"object","additionalProperties":{"type":"string"}}}},"spec":{"description":"PodSpec defines overrides for the HTTP01 challenge solver pod.\nCheck ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.\nAll other fields will be ignored.","type":"object","properties":{"affinity":{"description":"If specified, the pod's scheduling constraints","type":"object","properties":{"nodeAffinity":{"description":"Describes node affinity scheduling rules for the pod.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node matches the corresponding matchExpressions; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"An empty preferred scheduling term matches all objects with implicit weight 0\n(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).","type":"object","required":["preference","weight"],"properties":{"preference":{"description":"A node selector term, associated with the corresponding weight.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"description":"Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to an update), the system\nmay or may not try to eventually evict the pod from its node.","type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"description":"Required. A list of node selector terms. The terms are ORed.","type":"array","items":{"description":"A null or empty node selector term matches no objects. The requirements of\nthem are ANDed.\nThe TopologySelectorTerm type implements a subset of the NodeSelectorTerm.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"description":"Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"description":"Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe anti-affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling anti-affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the anti-affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the anti-affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"imagePullSecrets":{"description":"If specified, the pod's imagePullSecrets","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"nodeSelector":{"description":"NodeSelector is a selector which must be true for the pod to fit on a node.\nSelector which must match a node's labels for the pod to be scheduled on that node.\nMore info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/","type":"object","additionalProperties":{"type":"string"}},"priorityClassName":{"description":"If specified, the pod's priorityClassName.","type":"string"},"securityContext":{"description":"If specified, the pod's security context","type":"object","properties":{"fsGroup":{"description":"A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"fsGroupChangePolicy":{"description":"fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in SecurityContext.  If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"supplementalGroups":{"description":"A list of groups applied to the first process run in each container, in addition\nto the container's primary GID, the fsGroup (if specified), and group memberships\ndefined in the container image for the uid of the container process. If unspecified,\nno additional groups are added to any container. Note that group memberships\ndefined in the container image for the uid of the container process are still effective,\neven if they are not included in this list.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"type":"integer","format":"int64"}},"sysctls":{"description":"Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"description":"Sysctl defines a kernel parameter to be set","type":"object","required":["name","value"],"properties":{"name":{"description":"Name of a property to set","type":"string"},"value":{"description":"Value of a property to set","type":"string"}}}}}},"serviceAccountName":{"description":"If specified, the pod's service account","type":"string"},"tolerations":{"description":"If specified, the pod's tolerations.","type":"array","items":{"description":"The pod this Toleration is attached to tolerates any taint that matches\nthe triple <key,value,effect> using the matching operator <operator>.","type":"object","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.","type":"string"},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.","type":"string"},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.","type":"integer","format":"int64"},"value":{"description":"Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.","type":"string"}}}}}}}},"serviceType":{"description":"Optional service type for Kubernetes solver service. Supported values\nare NodePort or ClusterIP. If unset, defaults to NodePort.","type":"string"}}},"ingress":{"description":"The ingress based HTTP01 challenge solver will solve challenges by\ncreating or modifying Ingress resources in order to route requests for\n'/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are\nprovisioned by cert-manager for each Challenge to be completed.","type":"object","properties":{"class":{"description":"This field configures the annotation `kubernetes.io/ingress.class` when\ncreating Ingress resources to solve ACME challenges that use this\nchallenge solver. Only one of `class`, `name` or `ingressClassName` may\nbe specified.","type":"string"},"ingressClassName":{"description":"This field configures the field `ingressClassName` on the created Ingress\nresources used to solve ACME challenges that use this challenge solver.\nThis is the recommended way of configuring the ingress class. Only one of\n`class`, `name` or `ingressClassName` may be specified.","type":"string"},"ingressTemplate":{"description":"Optional ingress template used to configure the ACME challenge solver\ningress used for HTTP01 challenges.","type":"object","properties":{"metadata":{"description":"ObjectMeta overrides for the ingress used to solve HTTP01 challenges.\nOnly the 'labels' and 'annotations' fields may be set.\nIf labels or annotations overlap with in-built values, the values here\nwill override the in-built values.","type":"object","properties":{"annotations":{"description":"Annotations that should be added to the created ACME HTTP01 solver ingress.","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"Labels that should be added to the created ACME HTTP01 solver ingress.","type":"object","additionalProperties":{"type":"string"}}}}}},"name":{"description":"The name of the ingress resource that should have ACME challenge solving\nroutes inserted into it in order to solve HTTP01 challenges.\nThis is typically used in conjunction with ingress controllers like\ningress-gce, which maintains a 1:1 mapping between external IPs and\ningress resources. Only one of `class`, `name` or `ingressClassName` may\nbe specified.","type":"string"},"podTemplate":{"description":"Optional pod template used to configure the ACME challenge solver pods\nused for HTTP01 challenges.","type":"object","properties":{"metadata":{"description":"ObjectMeta overrides for the pod used to solve HTTP01 challenges.\nOnly the 'labels' and 'annotations' fields may be set.\nIf labels or annotations overlap with in-built values, the values here\nwill override the in-built values.","type":"object","properties":{"annotations":{"description":"Annotations that should be added to the created ACME HTTP01 solver pods.","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"Labels that should be added to the created ACME HTTP01 solver pods.","type":"object","additionalProperties":{"type":"string"}}}},"spec":{"description":"PodSpec defines overrides for the HTTP01 challenge solver pod.\nCheck ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.\nAll other fields will be ignored.","type":"object","properties":{"affinity":{"description":"If specified, the pod's scheduling constraints","type":"object","properties":{"nodeAffinity":{"description":"Describes node affinity scheduling rules for the pod.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node matches the corresponding matchExpressions; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"An empty preferred scheduling term matches all objects with implicit weight 0\n(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).","type":"object","required":["preference","weight"],"properties":{"preference":{"description":"A node selector term, associated with the corresponding weight.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"description":"Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to an update), the system\nmay or may not try to eventually evict the pod from its node.","type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"description":"Required. A list of node selector terms. The terms are ORed.","type":"array","items":{"description":"A null or empty node selector term matches no objects. The requirements of\nthem are ANDed.\nThe TopologySelectorTerm type implements a subset of the NodeSelectorTerm.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"description":"Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"description":"Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe anti-affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling anti-affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the anti-affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the anti-affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"imagePullSecrets":{"description":"If specified, the pod's imagePullSecrets","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"nodeSelector":{"description":"NodeSelector is a selector which must be true for the pod to fit on a node.\nSelector which must match a node's labels for the pod to be scheduled on that node.\nMore info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/","type":"object","additionalProperties":{"type":"string"}},"priorityClassName":{"description":"If specified, the pod's priorityClassName.","type":"string"},"securityContext":{"description":"If specified, the pod's security context","type":"object","properties":{"fsGroup":{"description":"A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"fsGroupChangePolicy":{"description":"fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in SecurityContext.  If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"supplementalGroups":{"description":"A list of groups applied to the first process run in each container, in addition\nto the container's primary GID, the fsGroup (if specified), and group memberships\ndefined in the container image for the uid of the container process. If unspecified,\nno additional groups are added to any container. Note that group memberships\ndefined in the container image for the uid of the container process are still effective,\neven if they are not included in this list.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"type":"integer","format":"int64"}},"sysctls":{"description":"Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"description":"Sysctl defines a kernel parameter to be set","type":"object","required":["name","value"],"properties":{"name":{"description":"Name of a property to set","type":"string"},"value":{"description":"Value of a property to set","type":"string"}}}}}},"serviceAccountName":{"description":"If specified, the pod's service account","type":"string"},"tolerations":{"description":"If specified, the pod's tolerations.","type":"array","items":{"description":"The pod this Toleration is attached to tolerates any taint that matches\nthe triple <key,value,effect> using the matching operator <operator>.","type":"object","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.","type":"string"},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.","type":"string"},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.","type":"integer","format":"int64"},"value":{"description":"Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.","type":"string"}}}}}}}},"serviceType":{"description":"Optional service type for Kubernetes solver service. Supported values\nare NodePort or ClusterIP. If unset, defaults to NodePort.","type":"string"}}}}},"selector":{"description":"Selector selects a set of DNSNames on the Certificate resource that\nshould be solved using this challenge solver.\nIf not specified, the solver will be treated as the 'default' solver\nwith the lowest priority, i.e. if any other solver has a more specific\nmatch, it will be used instead.","type":"object","properties":{"dnsNames":{"description":"List of DNSNames that this solver will be used to solve.\nIf specified and a match is found, a dnsNames selector will take\nprecedence over a dnsZones selector.\nIf multiple solvers match with the same dnsNames value, the solver\nwith the most matching labels in matchLabels will be selected.\nIf neither has more matches, the solver defined earlier in the list\nwill be selected.","type":"array","items":{"type":"string"}},"dnsZones":{"description":"List of DNSZones that this solver will be used to solve.\nThe most specific DNS zone match specified here will take precedence\nover other DNS zone matches, so a solver specifying sys.example.com\nwill be selected over one specifying example.com for the domain\nwww.sys.example.com.\nIf multiple solvers match with the same dnsZones value, the solver\nwith the most matching labels in matchLabels will be selected.\nIf neither has more matches, the solver defined earlier in the list\nwill be selected.","type":"array","items":{"type":"string"}},"matchLabels":{"description":"A label selector that is used to refine the set of certificate's that\nthis challenge solver will apply to.","type":"object","additionalProperties":{"type":"string"}}}}}}}}},"ca":{"description":"CA configures this issuer to sign certificates using a signing CA keypair\nstored in a Secret resource.\nThis is used to build internal PKIs that are managed by cert-manager.","type":"object","required":["secretName"],"properties":{"crlDistributionPoints":{"description":"The CRL distribution points is an X.509 v3 certificate extension which identifies\nthe location of the CRL from which the revocation of this certificate can be checked.\nIf not set, certificates will be issued without distribution points set.","type":"array","items":{"type":"string"}},"issuingCertificateURLs":{"description":"IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates\nit creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.\nAs an example, such a URL might be \"http://ca.domain.com/ca.crt\".","type":"array","items":{"type":"string"}},"ocspServers":{"description":"The OCSP server list is an X.509 v3 extension that defines a list of\nURLs of OCSP responders. The OCSP responders can be queried for the\nrevocation status of an issued certificate. If not set, the\ncertificate will be issued with no OCSP servers set. For example, an\nOCSP server URL could be \"http://ocsp.int-x3.letsencrypt.org\".","type":"array","items":{"type":"string"}},"secretName":{"description":"SecretName is the name of the secret used to sign Certificates issued\nby this Issuer.","type":"string"}}},"selfSigned":{"description":"SelfSigned configures this issuer to 'self sign' certificates using the\nprivate key used to create the CertificateRequest object.","type":"object","properties":{"crlDistributionPoints":{"description":"The CRL distribution points is an X.509 v3 certificate extension which identifies\nthe location of the CRL from which the revocation of this certificate can be checked.\nIf not set certificate will be issued without CDP. Values are strings.","type":"array","items":{"type":"string"}}}},"vault":{"description":"Vault configures this issuer to sign certificates using a HashiCorp Vault\nPKI backend.","type":"object","required":["auth","path","server"],"properties":{"auth":{"description":"Auth configures how cert-manager authenticates with the Vault server.","type":"object","properties":{"appRole":{"description":"AppRole authenticates with Vault using the App Role auth mechanism,\nwith the role and secret stored in a Kubernetes Secret resource.","type":"object","required":["path","roleId","secretRef"],"properties":{"path":{"description":"Path where the App Role authentication backend is mounted in Vault, e.g:\n\"approle\"","type":"string"},"roleId":{"description":"RoleID configured in the App Role authentication backend when setting\nup the authentication backend in Vault.","type":"string"},"secretRef":{"description":"Reference to a key in a Secret that contains the App Role secret used\nto authenticate with Vault.\nThe `key` field must be specified and denotes which entry within the Secret\nresource is used as the app role secret.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"clientCertificate":{"description":"ClientCertificate authenticates with Vault by presenting a client\ncertificate during the request's TLS handshake.\nWorks only when using HTTPS protocol.","type":"object","properties":{"mountPath":{"description":"The Vault mountPath here is the mount path to use when authenticating with\nVault. For example, setting a value to `/v1/auth/foo`, will use the path\n`/v1/auth/foo/login` to authenticate with Vault. If unspecified, the\ndefault value \"/v1/auth/cert\" will be used.","type":"string"},"name":{"description":"Name of the certificate role to authenticate against.\nIf not set, matching any certificate role, if available.","type":"string"},"secretName":{"description":"Reference to Kubernetes Secret of type \"kubernetes.io/tls\" (hence containing\ntls.crt and tls.key) used to authenticate to Vault using TLS client\nauthentication.","type":"string"}}},"kubernetes":{"description":"Kubernetes authenticates with Vault by passing the ServiceAccount\ntoken stored in the named Secret resource to the Vault server.","type":"object","required":["role"],"properties":{"mountPath":{"description":"The Vault mountPath here is the mount path to use when authenticating with\nVault. For example, setting a value to `/v1/auth/foo`, will use the path\n`/v1/auth/foo/login` to authenticate with Vault. If unspecified, the\ndefault value \"/v1/auth/kubernetes\" will be used.","type":"string"},"role":{"description":"A required field containing the Vault Role to assume. A Role binds a\nKubernetes ServiceAccount with a set of Vault policies.","type":"string"},"secretRef":{"description":"The required Secret field containing a Kubernetes ServiceAccount JWT used\nfor authenticating with Vault. Use of 'ambient credentials' is not\nsupported.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"serviceAccountRef":{"description":"A reference to a service account that will be used to request a bound\ntoken (also known as \"projected token\"). Compared to using \"secretRef\",\nusing this field means that you don't rely on statically bound tokens. To\nuse this field, you must configure an RBAC rule to let cert-manager\nrequest a token.","type":"object","required":["name"],"properties":{"audiences":{"description":"TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token\nconsisting of the issuer's namespace and name is always included.","type":"array","items":{"type":"string"}},"name":{"description":"Name of the ServiceAccount used to request a token.","type":"string"}}}}},"tokenSecretRef":{"description":"TokenSecretRef authenticates with Vault by presenting a token.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"caBundle":{"description":"Base64-encoded bundle of PEM CAs which will be used to validate the certificate\nchain presented by Vault. Only used if using HTTPS to connect to Vault and\nignored for HTTP connections.\nMutually exclusive with CABundleSecretRef.\nIf neither CABundle nor CABundleSecretRef are defined, the certificate bundle in\nthe cert-manager controller container is used to validate the TLS connection.","type":"string","format":"byte"},"caBundleSecretRef":{"description":"Reference to a Secret containing a bundle of PEM-encoded CAs to use when\nverifying the certificate chain presented by Vault when using HTTPS.\nMutually exclusive with CABundle.\nIf neither CABundle nor CABundleSecretRef are defined, the certificate bundle in\nthe cert-manager controller container is used to validate the TLS connection.\nIf no key for the Secret is specified, cert-manager will default to 'ca.crt'.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"clientCertSecretRef":{"description":"Reference to a Secret containing a PEM-encoded Client Certificate to use when the\nVault server requires mTLS.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"clientKeySecretRef":{"description":"Reference to a Secret containing a PEM-encoded Client Private Key to use when the\nVault server requires mTLS.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"namespace":{"description":"Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: \"ns1\"\nMore about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces","type":"string"},"path":{"description":"Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:\n\"my_pki_mount/sign/my-role-name\".","type":"string"},"server":{"description":"Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\".","type":"string"}}},"venafi":{"description":"Venafi configures this issuer to sign certificates using a Venafi TPP\nor Venafi Cloud policy zone.","type":"object","required":["zone"],"properties":{"cloud":{"description":"Cloud specifies the Venafi cloud configuration settings.\nOnly one of TPP or Cloud may be specified.","type":"object","required":["apiTokenSecretRef"],"properties":{"apiTokenSecretRef":{"description":"APITokenSecretRef is a secret key selector for the Venafi Cloud API token.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"url":{"description":"URL is the base URL for Venafi Cloud.\nDefaults to \"https://api.venafi.cloud/v1\".","type":"string"}}},"tpp":{"description":"TPP specifies Trust Protection Platform configuration settings.\nOnly one of TPP or Cloud may be specified.","type":"object","required":["credentialsRef","url"],"properties":{"caBundle":{"description":"Base64-encoded bundle of PEM CAs which will be used to validate the certificate\nchain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.\nIf undefined, the certificate bundle in the cert-manager controller container\nis used to validate the chain.","type":"string","format":"byte"},"caBundleSecretRef":{"description":"Reference to a Secret containing a base64-encoded bundle of PEM CAs\nwhich will be used to validate the certificate chain presented by the TPP server.\nOnly used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.\nIf neither CABundle nor CABundleSecretRef is defined, the certificate bundle in\nthe cert-manager controller container is used to validate the TLS connection.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"credentialsRef":{"description":"CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.\nThe secret must contain the key 'access-token' for the Access Token Authentication,\nor two keys, 'username' and 'password' for the API Keys Authentication.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"url":{"description":"URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,\nfor example: \"https://tpp.example.com/vedsdk\".","type":"string"}}},"zone":{"description":"Zone is the Venafi Policy Zone to use for this issuer.\nAll requests made to the Venafi platform will be restricted by the named\nzone policy.\nThis field is required.","type":"string"}}}}},"status":{"description":"Status of the ClusterIssuer. This is set and managed automatically.","type":"object","properties":{"acme":{"description":"ACME specific status options.\nThis field should only be set if the Issuer is configured to use an ACME\nserver to issue certificates.","type":"object","properties":{"lastPrivateKeyHash":{"description":"LastPrivateKeyHash is a hash of the private key associated with the latest\nregistered ACME account, in order to track changes made to registered account\nassociated with the Issuer","type":"string"},"lastRegisteredEmail":{"description":"LastRegisteredEmail is the email associated with the latest registered\nACME account, in order to track changes made to registered account\nassociated with the  Issuer","type":"string"},"uri":{"description":"URI is the unique account identifier, which can also be used to retrieve\naccount details from the CA","type":"string"}}},"conditions":{"description":"List of status conditions to indicate the status of a CertificateRequest.\nKnown condition types are `Ready`.","type":"array","items":{"description":"IssuerCondition contains condition information for an Issuer.","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"LastTransitionTime is the timestamp corresponding to the last status\nchange of this condition.","type":"string","format":"date-time"},"message":{"description":"Message is a human readable description of the details of the last\ntransition, complementing reason.","type":"string"},"observedGeneration":{"description":"If set, this represents the .metadata.generation that the condition was\nset based upon.\nFor instance, if .metadata.generation is currently 12, but the\n.status.condition[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the Issuer.","type":"integer","format":"int64"},"reason":{"description":"Reason is a brief machine readable explanation for the condition's last\ntransition.","type":"string"},"status":{"description":"Status of the condition, one of (`True`, `False`, `Unknown`).","type":"string","enum":["True","False","Unknown"]},"type":{"description":"Type of the condition, known values are (`Ready`).","type":"string"}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"}}}},"x-kubernetes-group-version-kind":[{"group":"cert-manager.io","kind":"ClusterIssuer","version":"v1"}],"title":"io.cert-manager.v1.ClusterIssuer"},"io.cert-manager.v1.ClusterIssuerList":{"description":"ClusterIssuerList is a list of ClusterIssuer","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusterissuers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.cert-manager.v1.ClusterIssuer"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"cert-manager.io","kind":"ClusterIssuerList","version":"v1"}],"title":"io.cert-manager.v1.ClusterIssuerList"},"io.cert-manager.v1.Issuer":{"description":"An Issuer represents a certificate issuing authority which can be\nreferenced as part of `issuerRef` fields.\nIt is scoped to a single namespace and can therefore only be referenced by\nresources within the same namespace.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Desired state of the Issuer resource.","type":"object","properties":{"acme":{"description":"ACME configures this issuer to communicate with a RFC8555 (ACME) server\nto obtain signed x509 certificates.","type":"object","required":["privateKeySecretRef","server"],"properties":{"caBundle":{"description":"Base64-encoded bundle of PEM CAs which can be used to validate the certificate\nchain presented by the ACME server.\nMutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various\nkinds of security vulnerabilities.\nIf CABundle and SkipTLSVerify are unset, the system certificate bundle inside\nthe container is used to validate the TLS connection.","type":"string","format":"byte"},"disableAccountKeyGeneration":{"description":"Enables or disables generating a new ACME account key.\nIf true, the Issuer resource will *not* request a new account but will expect\nthe account key to be supplied via an existing secret.\nIf false, the cert-manager system will generate a new ACME account key\nfor the Issuer.\nDefaults to false.","type":"boolean"},"email":{"description":"Email is the email address to be associated with the ACME account.\nThis field is optional, but it is strongly recommended to be set.\nIt will be used to contact you in case of issues with your account or\ncertificates, including expiry notification emails.\nThis field may be updated after the account is initially registered.","type":"string"},"enableDurationFeature":{"description":"Enables requesting a Not After date on certificates that matches the\nduration of the certificate. This is not supported by all ACME servers\nlike Let's Encrypt. If set to true when the ACME server does not support\nit, it will create an error on the Order.\nDefaults to false.","type":"boolean"},"externalAccountBinding":{"description":"ExternalAccountBinding is a reference to a CA external account of the ACME\nserver.\nIf set, upon registration cert-manager will attempt to associate the given\nexternal account credentials with the registered ACME account.","type":"object","required":["keyID","keySecretRef"],"properties":{"keyAlgorithm":{"description":"Deprecated: keyAlgorithm field exists for historical compatibility\nreasons and should not be used. The algorithm is now hardcoded to HS256\nin golang/x/crypto/acme.","type":"string","enum":["HS256","HS384","HS512"]},"keyID":{"description":"keyID is the ID of the CA key that the External Account is bound to.","type":"string"},"keySecretRef":{"description":"keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes\nSecret which holds the symmetric MAC key of the External Account Binding.\nThe `key` is the index string that is paired with the key data in the\nSecret and should not be confused with the key data itself, or indeed with\nthe External Account Binding keyID above.\nThe secret key stored in the Secret **must** be un-padded, base64 URL\nencoded data.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"preferredChain":{"description":"PreferredChain is the chain to use if the ACME server outputs multiple.\nPreferredChain is no guarantee that this one gets delivered by the ACME\nendpoint.\nFor example, for Let's Encrypt's DST crosssign you would use:\n\"DST Root CA X3\" or \"ISRG Root X1\" for the newer Let's Encrypt root CA.\nThis value picks the first certificate bundle in the combined set of\nACME default and alternative chains that has a root-most certificate with\nthis value as its issuer's commonname.","type":"string","maxLength":64},"privateKeySecretRef":{"description":"PrivateKey is the name of a Kubernetes Secret resource that will be used to\nstore the automatically generated ACME account private key.\nOptionally, a `key` may be specified to select a specific entry within\nthe named Secret resource.\nIf `key` is not specified, a default of `tls.key` will be used.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"server":{"description":"Server is the URL used to access the ACME server's 'directory' endpoint.\nFor example, for Let's Encrypt's staging endpoint, you would use:\n\"https://acme-staging-v02.api.letsencrypt.org/directory\".\nOnly ACME v2 endpoints (i.e. RFC 8555) are supported.","type":"string"},"skipTLSVerify":{"description":"INSECURE: Enables or disables validation of the ACME server TLS certificate.\nIf true, requests to the ACME server will not have the TLS certificate chain\nvalidated.\nMutually exclusive with CABundle; prefer using CABundle to prevent various\nkinds of security vulnerabilities.\nOnly enable this option in development environments.\nIf CABundle and SkipTLSVerify are unset, the system certificate bundle inside\nthe container is used to validate the TLS connection.\nDefaults to false.","type":"boolean"},"solvers":{"description":"Solvers is a list of challenge solvers that will be used to solve\nACME challenges for the matching domains.\nSolver configurations must be provided in order to obtain certificates\nfrom an ACME server.\nFor more information, see: https://cert-manager.io/docs/configuration/acme/","type":"array","items":{"description":"An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.\nA selector may be provided to use different solving strategies for different DNS names.\nOnly one of HTTP01 or DNS01 must be provided.","type":"object","properties":{"dns01":{"description":"Configures cert-manager to attempt to complete authorizations by\nperforming the DNS01 challenge flow.","type":"object","properties":{"acmeDNS":{"description":"Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage\nDNS01 challenge records.","type":"object","required":["accountSecretRef","host"],"properties":{"accountSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"host":{"type":"string"}}},"akamai":{"description":"Use the Akamai DNS zone management API to manage DNS01 challenge records.","type":"object","required":["accessTokenSecretRef","clientSecretSecretRef","clientTokenSecretRef","serviceConsumerDomain"],"properties":{"accessTokenSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"clientSecretSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"clientTokenSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"serviceConsumerDomain":{"type":"string"}}},"azureDNS":{"description":"Use the Microsoft Azure DNS API to manage DNS01 challenge records.","type":"object","required":["resourceGroupName","subscriptionID"],"properties":{"clientID":{"description":"Auth: Azure Service Principal:\nThe ClientID of the Azure Service Principal used to authenticate with Azure DNS.\nIf set, ClientSecret and TenantID must also be set.","type":"string"},"clientSecretSecretRef":{"description":"Auth: Azure Service Principal:\nA reference to a Secret containing the password associated with the Service Principal.\nIf set, ClientID and TenantID must also be set.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"environment":{"description":"name of the Azure environment (default AzurePublicCloud)","type":"string","enum":["AzurePublicCloud","AzureChinaCloud","AzureGermanCloud","AzureUSGovernmentCloud"]},"hostedZoneName":{"description":"name of the DNS zone that should be used","type":"string"},"managedIdentity":{"description":"Auth: Azure Workload Identity or Azure Managed Service Identity:\nSettings to enable Azure Workload Identity or Azure Managed Service Identity\nIf set, ClientID, ClientSecret and TenantID must not be set.","type":"object","properties":{"clientID":{"description":"client ID of the managed identity, can not be used at the same time as resourceID","type":"string"},"resourceID":{"description":"resource ID of the managed identity, can not be used at the same time as clientID\nCannot be used for Azure Managed Service Identity","type":"string"},"tenantID":{"description":"tenant ID of the managed identity, can not be used at the same time as resourceID","type":"string"}}},"resourceGroupName":{"description":"resource group the DNS zone is located in","type":"string"},"subscriptionID":{"description":"ID of the Azure subscription","type":"string"},"tenantID":{"description":"Auth: Azure Service Principal:\nThe TenantID of the Azure Service Principal used to authenticate with Azure DNS.\nIf set, ClientID and ClientSecret must also be set.","type":"string"}}},"cloudDNS":{"description":"Use the Google Cloud DNS API to manage DNS01 challenge records.","type":"object","required":["project"],"properties":{"hostedZoneName":{"description":"HostedZoneName is an optional field that tells cert-manager in which\nCloud DNS zone the challenge record has to be created.\nIf left empty cert-manager will automatically choose a zone.","type":"string"},"project":{"type":"string"},"serviceAccountSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"cloudflare":{"description":"Use the Cloudflare API to manage DNS01 challenge records.","type":"object","properties":{"apiKeySecretRef":{"description":"API key to use to authenticate with Cloudflare.\nNote: using an API token to authenticate is now the recommended method\nas it allows greater control of permissions.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"apiTokenSecretRef":{"description":"API token used to authenticate with Cloudflare.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"email":{"description":"Email of the account, only required when using API key based authentication.","type":"string"}}},"cnameStrategy":{"description":"CNAMEStrategy configures how the DNS01 provider should handle CNAME\nrecords when found in DNS zones.","type":"string","enum":["None","Follow"]},"digitalocean":{"description":"Use the DigitalOcean DNS API to manage DNS01 challenge records.","type":"object","required":["tokenSecretRef"],"properties":{"tokenSecretRef":{"description":"A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"rfc2136":{"description":"Use RFC2136 (\"Dynamic Updates in the Domain Name System\") (https://datatracker.ietf.org/doc/rfc2136/)\nto manage DNS01 challenge records.","type":"object","required":["nameserver"],"properties":{"nameserver":{"description":"The IP address or hostname of an authoritative DNS server supporting\nRFC2136 in the form host:port. If the host is an IPv6 address it must be\nenclosed in square brackets (e.g [2001:db8::1]) ; port is optional.\nThis field is required.","type":"string"},"tsigAlgorithm":{"description":"The TSIG Algorithm configured in the DNS supporting RFC2136. Used only\nwhen ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.\nSupported values are (case-insensitive): ``HMACMD5`` (default),\n``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.","type":"string"},"tsigKeyName":{"description":"The TSIG Key name configured in the DNS.\nIf ``tsigSecretSecretRef`` is defined, this field is required.","type":"string"},"tsigSecretSecretRef":{"description":"The name of the secret containing the TSIG value.\nIf ``tsigKeyName`` is defined, this field is required.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"route53":{"description":"Use the AWS Route53 API to manage DNS01 challenge records.","type":"object","properties":{"accessKeyID":{"description":"The AccessKeyID is used for authentication.\nCannot be set when SecretAccessKeyID is set.\nIf neither the Access Key nor Key ID are set, we fall-back to using env\nvars, shared credentials file or AWS Instance metadata,\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials","type":"string"},"accessKeyIDSecretRef":{"description":"The SecretAccessKey is used for authentication. If set, pull the AWS\naccess key ID from a key within a Kubernetes Secret.\nCannot be set when AccessKeyID is set.\nIf neither the Access Key nor Key ID are set, we fall-back to using env\nvars, shared credentials file or AWS Instance metadata,\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"auth":{"description":"Auth configures how cert-manager authenticates.","type":"object","required":["kubernetes"],"properties":{"kubernetes":{"description":"Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity\nby passing a bound ServiceAccount token.","type":"object","required":["serviceAccountRef"],"properties":{"serviceAccountRef":{"description":"A reference to a service account that will be used to request a bound\ntoken (also known as \"projected token\"). To use this field, you must\nconfigure an RBAC rule to let cert-manager request a token.","type":"object","required":["name"],"properties":{"audiences":{"description":"TokenAudiences is an optional list of audiences to include in the\ntoken passed to AWS. The default token consisting of the issuer's namespace\nand name is always included.\nIf unset the audience defaults to `sts.amazonaws.com`.","type":"array","items":{"type":"string"}},"name":{"description":"Name of the ServiceAccount used to request a token.","type":"string"}}}}}}},"hostedZoneID":{"description":"If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.","type":"string"},"region":{"description":"Override the AWS region.\n\nRoute53 is a global service and does not have regional endpoints but the\nregion specified here (or via environment variables) is used as a hint to\nhelp compute the correct AWS credential scope and partition when it\nconnects to Route53. See:\n- [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)\n- [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)\n\nIf you omit this region field, cert-manager will use the region from\nAWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set\nin the cert-manager controller Pod.\n\nThe `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).\nInstead an AWS_REGION environment variable is added to the cert-manager controller Pod by:\n[Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).\nIn this case this `region` field value is ignored.\n\nThe `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).\nInstead an AWS_REGION environment variable is added to the cert-manager controller Pod by:\n[Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),\nIn this case this `region` field value is ignored.","type":"string"},"role":{"description":"Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey\nor the inferred credentials from environment variables, shared credentials file or AWS Instance metadata","type":"string"},"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication.\nIf neither the Access Key nor Key ID are set, we fall-back to using env\nvars, shared credentials file or AWS Instance metadata,\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"webhook":{"description":"Configure an external webhook based DNS01 challenge solver to manage\nDNS01 challenge records.","type":"object","required":["groupName","solverName"],"properties":{"config":{"description":"Additional configuration that should be passed to the webhook apiserver\nwhen challenges are processed.\nThis can contain arbitrary JSON data.\nSecret values should not be specified in this stanza.\nIf secret values are needed (e.g. credentials for a DNS service), you\nshould use a SecretKeySelector to reference a Secret resource.\nFor details on the schema of this field, consult the webhook provider\nimplementation's documentation.","x-kubernetes-preserve-unknown-fields":true},"groupName":{"description":"The API group name that should be used when POSTing ChallengePayload\nresources to the webhook apiserver.\nThis should be the same as the GroupName specified in the webhook\nprovider implementation.","type":"string"},"solverName":{"description":"The name of the solver to use, as defined in the webhook provider\nimplementation.\nThis will typically be the name of the provider, e.g. 'cloudflare'.","type":"string"}}}}},"http01":{"description":"Configures cert-manager to attempt to complete authorizations by\nperforming the HTTP01 challenge flow.\nIt is not possible to obtain certificates for wildcard domain names\n(e.g. `*.example.com`) using the HTTP01 challenge mechanism.","type":"object","properties":{"gatewayHTTPRoute":{"description":"The Gateway API is a sig-network community API that models service networking\nin Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will\ncreate HTTPRoutes with the specified labels in the same namespace as the challenge.\nThis solver is experimental, and fields / behaviour may change in the future.","type":"object","properties":{"labels":{"description":"Custom labels that will be applied to HTTPRoutes created by cert-manager\nwhile solving HTTP-01 challenges.","type":"object","additionalProperties":{"type":"string"}},"parentRefs":{"description":"When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.\ncert-manager needs to know which parentRefs should be used when creating\nthe HTTPRoute. Usually, the parentRef references a Gateway. See:\nhttps://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways","type":"array","items":{"description":"ParentReference identifies an API object (usually a Gateway) that can be considered\na parent of this resource (usually a route). There are two kinds of parent resources\nwith \"Core\" support:\n\n* Gateway (Gateway conformance profile)\n* Service (Mesh conformance profile, ClusterIP Services only)\n\nThis API may be extended in the future to support additional kinds of parent\nresources.\n\nThe API object must be valid in the cluster; the Group and Kind must\nbe registered in the cluster for this reference to be valid.","type":"object","required":["name"],"properties":{"group":{"description":"Group is the group of the referent.\nWhen unspecified, \"gateway.networking.k8s.io\" is inferred.\nTo set the core API group (such as for a \"Service\" kind referent),\nGroup must be explicitly set to \"\" (empty string).\n\nSupport: Core","type":"string","maxLength":253,"pattern":"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"},"kind":{"description":"Kind is kind of the referent.\n\nThere are two kinds of parent resources with \"Core\" support:\n\n* Gateway (Gateway conformance profile)\n* Service (Mesh conformance profile, ClusterIP Services only)\n\nSupport for other resources is Implementation-Specific.","type":"string","maxLength":63,"minLength":1,"pattern":"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$"},"name":{"description":"Name is the name of the referent.\n\nSupport: Core","type":"string","maxLength":253,"minLength":1},"namespace":{"description":"Namespace is the namespace of the referent. When unspecified, this refers\nto the local namespace of the Route.\n\nNote that there are specific rules for ParentRefs which cross namespace\nboundaries. Cross-namespace references are only valid if they are explicitly\nallowed by something in the namespace they are referring to. For example:\nGateway has the AllowedRoutes field, and ReferenceGrant provides a\ngeneric way to enable any other kind of cross-namespace reference.\n\n<gateway:experimental:description>\nParentRefs from a Route to a Service in the same namespace are \"producer\"\nroutes, which apply default routing rules to inbound connections from\nany namespace to the Service.\n\nParentRefs from a Route to a Service in a different namespace are\n\"consumer\" routes, and these routing rules are only applied to outbound\nconnections originating from the same namespace as the Route, for which\nthe intended destination of the connections are a Service targeted as a\nParentRef of the Route.\n</gateway:experimental:description>\n\nSupport: Core","type":"string","maxLength":63,"minLength":1,"pattern":"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$"},"port":{"description":"Port is the network port this Route targets. It can be interpreted\ndifferently based on the type of parent resource.\n\nWhen the parent resource is a Gateway, this targets all listeners\nlistening on the specified port that also support this kind of Route(and\nselect this Route). It's not recommended to set `Port` unless the\nnetworking behaviors specified in a Route must apply to a specific port\nas opposed to a listener(s) whose port(s) may be changed. When both Port\nand SectionName are specified, the name and port of the selected listener\nmust match both specified values.\n\n<gateway:experimental:description>\nWhen the parent resource is a Service, this targets a specific port in the\nService spec. When both Port (experimental) and SectionName are specified,\nthe name and port of the selected port must match both specified values.\n</gateway:experimental:description>\n\nImplementations MAY choose to support other parent resources.\nImplementations supporting other types of parent resources MUST clearly\ndocument how/if Port is interpreted.\n\nFor the purpose of status, an attachment is considered successful as\nlong as the parent resource accepts it partially. For example, Gateway\nlisteners can restrict which Routes can attach to them by Route kind,\nnamespace, or hostname. If 1 of 2 Gateway listeners accept attachment\nfrom the referencing Route, the Route MUST be considered successfully\nattached. If no Gateway listeners accept attachment from this Route,\nthe Route MUST be considered detached from the Gateway.\n\nSupport: Extended","type":"integer","format":"int32","maximum":65535,"minimum":1},"sectionName":{"description":"SectionName is the name of a section within the target resource. In the\nfollowing resources, SectionName is interpreted as the following:\n\n* Gateway: Listener name. When both Port (experimental) and SectionName\nare specified, the name and port of the selected listener must match\nboth specified values.\n* Service: Port name. When both Port (experimental) and SectionName\nare specified, the name and port of the selected listener must match\nboth specified values.\n\nImplementations MAY choose to support attaching Routes to other resources.\nIf that is the case, they MUST clearly document how SectionName is\ninterpreted.\n\nWhen unspecified (empty string), this will reference the entire resource.\nFor the purpose of status, an attachment is considered successful if at\nleast one section in the parent resource accepts it. For example, Gateway\nlisteners can restrict which Routes can attach to them by Route kind,\nnamespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\nthe referencing Route, the Route MUST be considered successfully\nattached. If no Gateway listeners accept attachment from this Route, the\nRoute MUST be considered detached from the Gateway.\n\nSupport: Core","type":"string","maxLength":253,"minLength":1,"pattern":"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"}}}},"podTemplate":{"description":"Optional pod template used to configure the ACME challenge solver pods\nused for HTTP01 challenges.","type":"object","properties":{"metadata":{"description":"ObjectMeta overrides for the pod used to solve HTTP01 challenges.\nOnly the 'labels' and 'annotations' fields may be set.\nIf labels or annotations overlap with in-built values, the values here\nwill override the in-built values.","type":"object","properties":{"annotations":{"description":"Annotations that should be added to the created ACME HTTP01 solver pods.","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"Labels that should be added to the created ACME HTTP01 solver pods.","type":"object","additionalProperties":{"type":"string"}}}},"spec":{"description":"PodSpec defines overrides for the HTTP01 challenge solver pod.\nCheck ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.\nAll other fields will be ignored.","type":"object","properties":{"affinity":{"description":"If specified, the pod's scheduling constraints","type":"object","properties":{"nodeAffinity":{"description":"Describes node affinity scheduling rules for the pod.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node matches the corresponding matchExpressions; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"An empty preferred scheduling term matches all objects with implicit weight 0\n(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).","type":"object","required":["preference","weight"],"properties":{"preference":{"description":"A node selector term, associated with the corresponding weight.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"description":"Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to an update), the system\nmay or may not try to eventually evict the pod from its node.","type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"description":"Required. A list of node selector terms. The terms are ORed.","type":"array","items":{"description":"A null or empty node selector term matches no objects. The requirements of\nthem are ANDed.\nThe TopologySelectorTerm type implements a subset of the NodeSelectorTerm.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"description":"Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"description":"Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe anti-affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling anti-affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the anti-affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the anti-affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"imagePullSecrets":{"description":"If specified, the pod's imagePullSecrets","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"nodeSelector":{"description":"NodeSelector is a selector which must be true for the pod to fit on a node.\nSelector which must match a node's labels for the pod to be scheduled on that node.\nMore info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/","type":"object","additionalProperties":{"type":"string"}},"priorityClassName":{"description":"If specified, the pod's priorityClassName.","type":"string"},"securityContext":{"description":"If specified, the pod's security context","type":"object","properties":{"fsGroup":{"description":"A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"fsGroupChangePolicy":{"description":"fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in SecurityContext.  If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"supplementalGroups":{"description":"A list of groups applied to the first process run in each container, in addition\nto the container's primary GID, the fsGroup (if specified), and group memberships\ndefined in the container image for the uid of the container process. If unspecified,\nno additional groups are added to any container. Note that group memberships\ndefined in the container image for the uid of the container process are still effective,\neven if they are not included in this list.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"type":"integer","format":"int64"}},"sysctls":{"description":"Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"description":"Sysctl defines a kernel parameter to be set","type":"object","required":["name","value"],"properties":{"name":{"description":"Name of a property to set","type":"string"},"value":{"description":"Value of a property to set","type":"string"}}}}}},"serviceAccountName":{"description":"If specified, the pod's service account","type":"string"},"tolerations":{"description":"If specified, the pod's tolerations.","type":"array","items":{"description":"The pod this Toleration is attached to tolerates any taint that matches\nthe triple <key,value,effect> using the matching operator <operator>.","type":"object","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.","type":"string"},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.","type":"string"},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.","type":"integer","format":"int64"},"value":{"description":"Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.","type":"string"}}}}}}}},"serviceType":{"description":"Optional service type for Kubernetes solver service. Supported values\nare NodePort or ClusterIP. If unset, defaults to NodePort.","type":"string"}}},"ingress":{"description":"The ingress based HTTP01 challenge solver will solve challenges by\ncreating or modifying Ingress resources in order to route requests for\n'/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are\nprovisioned by cert-manager for each Challenge to be completed.","type":"object","properties":{"class":{"description":"This field configures the annotation `kubernetes.io/ingress.class` when\ncreating Ingress resources to solve ACME challenges that use this\nchallenge solver. Only one of `class`, `name` or `ingressClassName` may\nbe specified.","type":"string"},"ingressClassName":{"description":"This field configures the field `ingressClassName` on the created Ingress\nresources used to solve ACME challenges that use this challenge solver.\nThis is the recommended way of configuring the ingress class. Only one of\n`class`, `name` or `ingressClassName` may be specified.","type":"string"},"ingressTemplate":{"description":"Optional ingress template used to configure the ACME challenge solver\ningress used for HTTP01 challenges.","type":"object","properties":{"metadata":{"description":"ObjectMeta overrides for the ingress used to solve HTTP01 challenges.\nOnly the 'labels' and 'annotations' fields may be set.\nIf labels or annotations overlap with in-built values, the values here\nwill override the in-built values.","type":"object","properties":{"annotations":{"description":"Annotations that should be added to the created ACME HTTP01 solver ingress.","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"Labels that should be added to the created ACME HTTP01 solver ingress.","type":"object","additionalProperties":{"type":"string"}}}}}},"name":{"description":"The name of the ingress resource that should have ACME challenge solving\nroutes inserted into it in order to solve HTTP01 challenges.\nThis is typically used in conjunction with ingress controllers like\ningress-gce, which maintains a 1:1 mapping between external IPs and\ningress resources. Only one of `class`, `name` or `ingressClassName` may\nbe specified.","type":"string"},"podTemplate":{"description":"Optional pod template used to configure the ACME challenge solver pods\nused for HTTP01 challenges.","type":"object","properties":{"metadata":{"description":"ObjectMeta overrides for the pod used to solve HTTP01 challenges.\nOnly the 'labels' and 'annotations' fields may be set.\nIf labels or annotations overlap with in-built values, the values here\nwill override the in-built values.","type":"object","properties":{"annotations":{"description":"Annotations that should be added to the created ACME HTTP01 solver pods.","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"Labels that should be added to the created ACME HTTP01 solver pods.","type":"object","additionalProperties":{"type":"string"}}}},"spec":{"description":"PodSpec defines overrides for the HTTP01 challenge solver pod.\nCheck ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.\nAll other fields will be ignored.","type":"object","properties":{"affinity":{"description":"If specified, the pod's scheduling constraints","type":"object","properties":{"nodeAffinity":{"description":"Describes node affinity scheduling rules for the pod.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node matches the corresponding matchExpressions; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"An empty preferred scheduling term matches all objects with implicit weight 0\n(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).","type":"object","required":["preference","weight"],"properties":{"preference":{"description":"A node selector term, associated with the corresponding weight.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"description":"Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to an update), the system\nmay or may not try to eventually evict the pod from its node.","type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"description":"Required. A list of node selector terms. The terms are ORed.","type":"array","items":{"description":"A null or empty node selector term matches no objects. The requirements of\nthem are ANDed.\nThe TopologySelectorTerm type implements a subset of the NodeSelectorTerm.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"description":"A node selector requirement is a selector that contains values, a key, and an operator\nthat relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt or Lt, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"description":"Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"description":"Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy\nthe anti-affinity expressions specified by this field, but it may choose\na node that violates one or more of the expressions. The node that is\nmost preferred is the one with the greatest sum of weights, i.e.\nfor each node that meets all of the scheduling requirements (resource\nrequest, requiredDuringScheduling anti-affinity expressions, etc.),\ncompute a sum by iterating through the elements of this field and adding\n\"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the\nnode(s) with the highest sum are the most preferred.","type":"array","items":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm,\nin the range 1-100.","type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the anti-affinity requirements specified by this field are not met at\nscheduling time, the pod will not be scheduled onto the node.\nIf the anti-affinity requirements specified by this field cease to be met\nat some point during pod execution (e.g. due to a pod label update), the\nsystem may or may not try to eventually evict the pod from its node.\nWhen there are multiple elements, the lists of nodes corresponding to each\npodAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"description":"Defines a set of pods (namely those matching the labelSelector\nrelative to the given namespace(s)) that this pod should be\nco-located (affinity) or not co-located (anti-affinity) with,\nwhere co-located is defined as running on a node whose value of\nthe label with key <topologyKey> matches that of any node on which\na pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods.\nIf it's null, this PodAffinityTerm matches with no Pods.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both matchLabelKeys and labelSelector.\nAlso, matchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will\nbe taken into consideration. The keys are used to lookup values from the\nincoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`\nto select the group of existing pods which pods will be taken into consideration\nfor the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming\npod labels will be ignored. The default value is empty.\nThe same key is forbidden to exist in both mismatchLabelKeys and labelSelector.\nAlso, mismatchLabelKeys cannot be set when labelSelector isn't set.\nThis is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to.\nThe term is applied to the union of the namespaces selected by this field\nand the ones listed in the namespaces field.\nnull selector and null or empty namespaces list means \"this pod's namespace\".\nAn empty selector ({}) matches all namespaces.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to.\nThe term is applied to the union of the namespaces listed in this field\nand the ones selected by namespaceSelector.\nnull or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching\nthe labelSelector in the specified namespaces, where co-located is defined as running on a node\nwhose value of the label with key topologyKey matches that of any node on which any of the\nselected pods is running.\nEmpty topologyKey is not allowed.","type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"imagePullSecrets":{"description":"If specified, the pod's imagePullSecrets","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"nodeSelector":{"description":"NodeSelector is a selector which must be true for the pod to fit on a node.\nSelector which must match a node's labels for the pod to be scheduled on that node.\nMore info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/","type":"object","additionalProperties":{"type":"string"}},"priorityClassName":{"description":"If specified, the pod's priorityClassName.","type":"string"},"securityContext":{"description":"If specified, the pod's security context","type":"object","properties":{"fsGroup":{"description":"A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"fsGroupChangePolicy":{"description":"fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.","type":"string"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext.  If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer.  May also be set in SecurityContext.  If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"seccompProfile":{"description":"The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.","type":"string"}}},"supplementalGroups":{"description":"A list of groups applied to the first process run in each container, in addition\nto the container's primary GID, the fsGroup (if specified), and group memberships\ndefined in the container image for the uid of the container process. If unspecified,\nno additional groups are added to any container. Note that group memberships\ndefined in the container image for the uid of the container process are still effective,\neven if they are not included in this list.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"type":"integer","format":"int64"}},"sysctls":{"description":"Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.","type":"array","items":{"description":"Sysctl defines a kernel parameter to be set","type":"object","required":["name","value"],"properties":{"name":{"description":"Name of a property to set","type":"string"},"value":{"description":"Value of a property to set","type":"string"}}}}}},"serviceAccountName":{"description":"If specified, the pod's service account","type":"string"},"tolerations":{"description":"If specified, the pod's tolerations.","type":"array","items":{"description":"The pod this Toleration is attached to tolerates any taint that matches\nthe triple <key,value,effect> using the matching operator <operator>.","type":"object","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.","type":"string"},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.","type":"string"},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.","type":"integer","format":"int64"},"value":{"description":"Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.","type":"string"}}}}}}}},"serviceType":{"description":"Optional service type for Kubernetes solver service. Supported values\nare NodePort or ClusterIP. If unset, defaults to NodePort.","type":"string"}}}}},"selector":{"description":"Selector selects a set of DNSNames on the Certificate resource that\nshould be solved using this challenge solver.\nIf not specified, the solver will be treated as the 'default' solver\nwith the lowest priority, i.e. if any other solver has a more specific\nmatch, it will be used instead.","type":"object","properties":{"dnsNames":{"description":"List of DNSNames that this solver will be used to solve.\nIf specified and a match is found, a dnsNames selector will take\nprecedence over a dnsZones selector.\nIf multiple solvers match with the same dnsNames value, the solver\nwith the most matching labels in matchLabels will be selected.\nIf neither has more matches, the solver defined earlier in the list\nwill be selected.","type":"array","items":{"type":"string"}},"dnsZones":{"description":"List of DNSZones that this solver will be used to solve.\nThe most specific DNS zone match specified here will take precedence\nover other DNS zone matches, so a solver specifying sys.example.com\nwill be selected over one specifying example.com for the domain\nwww.sys.example.com.\nIf multiple solvers match with the same dnsZones value, the solver\nwith the most matching labels in matchLabels will be selected.\nIf neither has more matches, the solver defined earlier in the list\nwill be selected.","type":"array","items":{"type":"string"}},"matchLabels":{"description":"A label selector that is used to refine the set of certificate's that\nthis challenge solver will apply to.","type":"object","additionalProperties":{"type":"string"}}}}}}}}},"ca":{"description":"CA configures this issuer to sign certificates using a signing CA keypair\nstored in a Secret resource.\nThis is used to build internal PKIs that are managed by cert-manager.","type":"object","required":["secretName"],"properties":{"crlDistributionPoints":{"description":"The CRL distribution points is an X.509 v3 certificate extension which identifies\nthe location of the CRL from which the revocation of this certificate can be checked.\nIf not set, certificates will be issued without distribution points set.","type":"array","items":{"type":"string"}},"issuingCertificateURLs":{"description":"IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates\nit creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.\nAs an example, such a URL might be \"http://ca.domain.com/ca.crt\".","type":"array","items":{"type":"string"}},"ocspServers":{"description":"The OCSP server list is an X.509 v3 extension that defines a list of\nURLs of OCSP responders. The OCSP responders can be queried for the\nrevocation status of an issued certificate. If not set, the\ncertificate will be issued with no OCSP servers set. For example, an\nOCSP server URL could be \"http://ocsp.int-x3.letsencrypt.org\".","type":"array","items":{"type":"string"}},"secretName":{"description":"SecretName is the name of the secret used to sign Certificates issued\nby this Issuer.","type":"string"}}},"selfSigned":{"description":"SelfSigned configures this issuer to 'self sign' certificates using the\nprivate key used to create the CertificateRequest object.","type":"object","properties":{"crlDistributionPoints":{"description":"The CRL distribution points is an X.509 v3 certificate extension which identifies\nthe location of the CRL from which the revocation of this certificate can be checked.\nIf not set certificate will be issued without CDP. Values are strings.","type":"array","items":{"type":"string"}}}},"vault":{"description":"Vault configures this issuer to sign certificates using a HashiCorp Vault\nPKI backend.","type":"object","required":["auth","path","server"],"properties":{"auth":{"description":"Auth configures how cert-manager authenticates with the Vault server.","type":"object","properties":{"appRole":{"description":"AppRole authenticates with Vault using the App Role auth mechanism,\nwith the role and secret stored in a Kubernetes Secret resource.","type":"object","required":["path","roleId","secretRef"],"properties":{"path":{"description":"Path where the App Role authentication backend is mounted in Vault, e.g:\n\"approle\"","type":"string"},"roleId":{"description":"RoleID configured in the App Role authentication backend when setting\nup the authentication backend in Vault.","type":"string"},"secretRef":{"description":"Reference to a key in a Secret that contains the App Role secret used\nto authenticate with Vault.\nThe `key` field must be specified and denotes which entry within the Secret\nresource is used as the app role secret.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"clientCertificate":{"description":"ClientCertificate authenticates with Vault by presenting a client\ncertificate during the request's TLS handshake.\nWorks only when using HTTPS protocol.","type":"object","properties":{"mountPath":{"description":"The Vault mountPath here is the mount path to use when authenticating with\nVault. For example, setting a value to `/v1/auth/foo`, will use the path\n`/v1/auth/foo/login` to authenticate with Vault. If unspecified, the\ndefault value \"/v1/auth/cert\" will be used.","type":"string"},"name":{"description":"Name of the certificate role to authenticate against.\nIf not set, matching any certificate role, if available.","type":"string"},"secretName":{"description":"Reference to Kubernetes Secret of type \"kubernetes.io/tls\" (hence containing\ntls.crt and tls.key) used to authenticate to Vault using TLS client\nauthentication.","type":"string"}}},"kubernetes":{"description":"Kubernetes authenticates with Vault by passing the ServiceAccount\ntoken stored in the named Secret resource to the Vault server.","type":"object","required":["role"],"properties":{"mountPath":{"description":"The Vault mountPath here is the mount path to use when authenticating with\nVault. For example, setting a value to `/v1/auth/foo`, will use the path\n`/v1/auth/foo/login` to authenticate with Vault. If unspecified, the\ndefault value \"/v1/auth/kubernetes\" will be used.","type":"string"},"role":{"description":"A required field containing the Vault Role to assume. A Role binds a\nKubernetes ServiceAccount with a set of Vault policies.","type":"string"},"secretRef":{"description":"The required Secret field containing a Kubernetes ServiceAccount JWT used\nfor authenticating with Vault. Use of 'ambient credentials' is not\nsupported.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"serviceAccountRef":{"description":"A reference to a service account that will be used to request a bound\ntoken (also known as \"projected token\"). Compared to using \"secretRef\",\nusing this field means that you don't rely on statically bound tokens. To\nuse this field, you must configure an RBAC rule to let cert-manager\nrequest a token.","type":"object","required":["name"],"properties":{"audiences":{"description":"TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token\nconsisting of the issuer's namespace and name is always included.","type":"array","items":{"type":"string"}},"name":{"description":"Name of the ServiceAccount used to request a token.","type":"string"}}}}},"tokenSecretRef":{"description":"TokenSecretRef authenticates with Vault by presenting a token.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}}}},"caBundle":{"description":"Base64-encoded bundle of PEM CAs which will be used to validate the certificate\nchain presented by Vault. Only used if using HTTPS to connect to Vault and\nignored for HTTP connections.\nMutually exclusive with CABundleSecretRef.\nIf neither CABundle nor CABundleSecretRef are defined, the certificate bundle in\nthe cert-manager controller container is used to validate the TLS connection.","type":"string","format":"byte"},"caBundleSecretRef":{"description":"Reference to a Secret containing a bundle of PEM-encoded CAs to use when\nverifying the certificate chain presented by Vault when using HTTPS.\nMutually exclusive with CABundle.\nIf neither CABundle nor CABundleSecretRef are defined, the certificate bundle in\nthe cert-manager controller container is used to validate the TLS connection.\nIf no key for the Secret is specified, cert-manager will default to 'ca.crt'.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"clientCertSecretRef":{"description":"Reference to a Secret containing a PEM-encoded Client Certificate to use when the\nVault server requires mTLS.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"clientKeySecretRef":{"description":"Reference to a Secret containing a PEM-encoded Client Private Key to use when the\nVault server requires mTLS.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"namespace":{"description":"Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: \"ns1\"\nMore about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces","type":"string"},"path":{"description":"Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:\n\"my_pki_mount/sign/my-role-name\".","type":"string"},"server":{"description":"Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\".","type":"string"}}},"venafi":{"description":"Venafi configures this issuer to sign certificates using a Venafi TPP\nor Venafi Cloud policy zone.","type":"object","required":["zone"],"properties":{"cloud":{"description":"Cloud specifies the Venafi cloud configuration settings.\nOnly one of TPP or Cloud may be specified.","type":"object","required":["apiTokenSecretRef"],"properties":{"apiTokenSecretRef":{"description":"APITokenSecretRef is a secret key selector for the Venafi Cloud API token.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"url":{"description":"URL is the base URL for Venafi Cloud.\nDefaults to \"https://api.venafi.cloud/v1\".","type":"string"}}},"tpp":{"description":"TPP specifies Trust Protection Platform configuration settings.\nOnly one of TPP or Cloud may be specified.","type":"object","required":["credentialsRef","url"],"properties":{"caBundle":{"description":"Base64-encoded bundle of PEM CAs which will be used to validate the certificate\nchain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.\nIf undefined, the certificate bundle in the cert-manager controller container\nis used to validate the chain.","type":"string","format":"byte"},"caBundleSecretRef":{"description":"Reference to a Secret containing a base64-encoded bundle of PEM CAs\nwhich will be used to validate the certificate chain presented by the TPP server.\nOnly used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.\nIf neither CABundle nor CABundleSecretRef is defined, the certificate bundle in\nthe cert-manager controller container is used to validate the TLS connection.","type":"object","required":["name"],"properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used.\nSome instances of this field may be defaulted, in others it may be\nrequired.","type":"string"},"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"credentialsRef":{"description":"CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.\nThe secret must contain the key 'access-token' for the Access Token Authentication,\nor two keys, 'username' and 'password' for the API Keys Authentication.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the resource being referred to.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"url":{"description":"URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,\nfor example: \"https://tpp.example.com/vedsdk\".","type":"string"}}},"zone":{"description":"Zone is the Venafi Policy Zone to use for this issuer.\nAll requests made to the Venafi platform will be restricted by the named\nzone policy.\nThis field is required.","type":"string"}}}}},"status":{"description":"Status of the Issuer. This is set and managed automatically.","type":"object","properties":{"acme":{"description":"ACME specific status options.\nThis field should only be set if the Issuer is configured to use an ACME\nserver to issue certificates.","type":"object","properties":{"lastPrivateKeyHash":{"description":"LastPrivateKeyHash is a hash of the private key associated with the latest\nregistered ACME account, in order to track changes made to registered account\nassociated with the Issuer","type":"string"},"lastRegisteredEmail":{"description":"LastRegisteredEmail is the email associated with the latest registered\nACME account, in order to track changes made to registered account\nassociated with the  Issuer","type":"string"},"uri":{"description":"URI is the unique account identifier, which can also be used to retrieve\naccount details from the CA","type":"string"}}},"conditions":{"description":"List of status conditions to indicate the status of a CertificateRequest.\nKnown condition types are `Ready`.","type":"array","items":{"description":"IssuerCondition contains condition information for an Issuer.","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"LastTransitionTime is the timestamp corresponding to the last status\nchange of this condition.","type":"string","format":"date-time"},"message":{"description":"Message is a human readable description of the details of the last\ntransition, complementing reason.","type":"string"},"observedGeneration":{"description":"If set, this represents the .metadata.generation that the condition was\nset based upon.\nFor instance, if .metadata.generation is currently 12, but the\n.status.condition[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the Issuer.","type":"integer","format":"int64"},"reason":{"description":"Reason is a brief machine readable explanation for the condition's last\ntransition.","type":"string"},"status":{"description":"Status of the condition, one of (`True`, `False`, `Unknown`).","type":"string","enum":["True","False","Unknown"]},"type":{"description":"Type of the condition, known values are (`Ready`).","type":"string"}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"}}}},"x-kubernetes-group-version-kind":[{"group":"cert-manager.io","kind":"Issuer","version":"v1"}],"title":"io.cert-manager.v1.Issuer"},"io.cert-manager.v1.IssuerList":{"description":"IssuerList is a list of Issuer","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of issuers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.cert-manager.v1.Issuer"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"cert-manager.io","kind":"IssuerList","version":"v1"}],"title":"io.cert-manager.v1.IssuerList"},"io.external-secrets.generators.v1alpha1.ACRAccessToken":{"description":"ACRAccessToken returns a Azure Container Registry token\nthat can be used for pushing/pulling images.\nNote: by default it will return an ACR Refresh Token with full access\n(depending on the identity).\nThis can be scoped down to the repository level using .spec.scope.\nIn case scope is defined it will return an ACR Access Token.\n\n\nSee docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ACRAccessTokenSpec defines how to generate the access token\ne.g. how to authenticate and which registry to use.\nsee: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview","type":"object","required":["auth","registry"],"properties":{"auth":{"type":"object","properties":{"managedIdentity":{"description":"ManagedIdentity uses Azure Managed Identity to authenticate with Azure.","type":"object","properties":{"identityId":{"description":"If multiple Managed Identity is assigned to the pod, you can select the one to be used","type":"string"}}},"servicePrincipal":{"description":"ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.","type":"object","required":["secretRef"],"properties":{"secretRef":{"description":"Configuration used to authenticate with Azure using static\ncredentials stored in a Kind=Secret.","type":"object","properties":{"clientId":{"description":"The Azure clientId of the service principle used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"clientSecret":{"description":"The Azure ClientSecret of the service principle used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"workloadIdentity":{"description":"WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.","type":"object","properties":{"serviceAccountRef":{"description":"ServiceAccountRef specified the service account\nthat should be used when authenticating with WorkloadIdentity.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"environmentType":{"description":"EnvironmentType specifies the Azure cloud environment endpoints to use for\nconnecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.\nThe following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152\nPublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud","type":"string","enum":["PublicCloud","USGovernmentCloud","ChinaCloud","GermanCloud"]},"registry":{"description":"the domain name of the ACR registry\ne.g. foobarexample.azurecr.io","type":"string"},"scope":{"description":"Define the scope for the access token, e.g. pull/push access for a repository.\nif not provided it will return a refresh token that has full scope.\nNote: you need to pin it down to the repository level, there is no wildcard available.\n\n\nexamples:\nrepository:my-repository:pull,push\nrepository:my-repository:pull\n\n\nsee docs for details: https://docs.docker.com/registry/spec/auth/scope/","type":"string"},"tenantId":{"description":"TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"generators.external-secrets.io","kind":"ACRAccessToken","version":"v1alpha1"}],"title":"io.external-secrets.generators.v1alpha1.ACRAccessToken"},"io.external-secrets.generators.v1alpha1.ACRAccessTokenList":{"description":"ACRAccessTokenList is a list of ACRAccessToken","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of acraccesstokens. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.generators.v1alpha1.ACRAccessToken"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"generators.external-secrets.io","kind":"ACRAccessTokenList","version":"v1alpha1"}],"title":"io.external-secrets.generators.v1alpha1.ACRAccessTokenList"},"io.external-secrets.generators.v1alpha1.ECRAuthorizationToken":{"description":"ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an\nauthorization token.\nThe authorization token is valid for 12 hours.\nThe authorizationToken returned is a base64 encoded string that can be decoded\nand used in a docker login command to authenticate to a registry.\nFor more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["region"],"properties":{"auth":{"description":"Auth defines how to authenticate with AWS","type":"object","properties":{"jwt":{"description":"Authenticate against AWS using service account tokens.","type":"object","properties":{"serviceAccountRef":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"secretRef":{"description":"AWSAuthSecretRef holds secret references for AWS credentials\nboth AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.","type":"object","properties":{"accessKeyIDSecretRef":{"description":"The AccessKeyID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"sessionTokenSecretRef":{"description":"The SessionToken used for authentication\nThis must be defined if AccessKeyID and SecretAccessKey are temporary credentials\nsee: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"region":{"description":"Region specifies the region to operate in.","type":"string"},"role":{"description":"You can assume a role before making calls to the\ndesired AWS service.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"generators.external-secrets.io","kind":"ECRAuthorizationToken","version":"v1alpha1"}],"title":"io.external-secrets.generators.v1alpha1.ECRAuthorizationToken"},"io.external-secrets.generators.v1alpha1.ECRAuthorizationTokenList":{"description":"ECRAuthorizationTokenList is a list of ECRAuthorizationToken","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ecrauthorizationtokens. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.generators.v1alpha1.ECRAuthorizationToken"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"generators.external-secrets.io","kind":"ECRAuthorizationTokenList","version":"v1alpha1"}],"title":"io.external-secrets.generators.v1alpha1.ECRAuthorizationTokenList"},"io.external-secrets.generators.v1alpha1.Fake":{"description":"Fake generator is used for testing. It lets you define\na static set of credentials that is always returned.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"FakeSpec contains the static data.","type":"object","properties":{"controller":{"description":"Used to select the correct ESO controller (think: ingress.ingressClassName)\nThe ESO controller is instantiated with a specific controller name and filters VDS based on this property","type":"string"},"data":{"description":"Data defines the static data returned\nby this generator.","type":"object","additionalProperties":{"type":"string"}}}}},"x-kubernetes-group-version-kind":[{"group":"generators.external-secrets.io","kind":"Fake","version":"v1alpha1"}],"title":"io.external-secrets.generators.v1alpha1.Fake"},"io.external-secrets.generators.v1alpha1.FakeList":{"description":"FakeList is a list of Fake","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of fakes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.generators.v1alpha1.Fake"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"generators.external-secrets.io","kind":"FakeList","version":"v1alpha1"}],"title":"io.external-secrets.generators.v1alpha1.FakeList"},"io.external-secrets.generators.v1alpha1.GCRAccessToken":{"description":"GCRAccessToken generates an GCP access token\nthat can be used to authenticate with GCR.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["auth","projectID"],"properties":{"auth":{"description":"Auth defines the means for authenticating with GCP","type":"object","properties":{"secretRef":{"type":"object","properties":{"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"workloadIdentity":{"type":"object","required":["clusterLocation","clusterName","serviceAccountRef"],"properties":{"clusterLocation":{"type":"string"},"clusterName":{"type":"string"},"clusterProjectID":{"type":"string"},"serviceAccountRef":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"projectID":{"description":"ProjectID defines which project to use to authenticate with","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"generators.external-secrets.io","kind":"GCRAccessToken","version":"v1alpha1"}],"title":"io.external-secrets.generators.v1alpha1.GCRAccessToken"},"io.external-secrets.generators.v1alpha1.GCRAccessTokenList":{"description":"GCRAccessTokenList is a list of GCRAccessToken","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of gcraccesstokens. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.generators.v1alpha1.GCRAccessToken"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"generators.external-secrets.io","kind":"GCRAccessTokenList","version":"v1alpha1"}],"title":"io.external-secrets.generators.v1alpha1.GCRAccessTokenList"},"io.external-secrets.generators.v1alpha1.Password":{"description":"Password generates a random password based on the\nconfiguration parameters in spec.\nYou can specify the length, characterset and other attributes.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"PasswordSpec controls the behavior of the password generator.","type":"object","required":["allowRepeat","length","noUpper"],"properties":{"allowRepeat":{"description":"set AllowRepeat to true to allow repeating characters.","type":"boolean"},"digits":{"description":"Digits specifies the number of digits in the generated\npassword. If omitted it defaults to 25% of the length of the password","type":"integer"},"length":{"description":"Length of the password to be generated.\nDefaults to 24","type":"integer"},"noUpper":{"description":"Set NoUpper to disable uppercase characters","type":"boolean"},"symbolCharacters":{"description":"SymbolCharacters specifies the special characters that should be used\nin the generated password.","type":"string"},"symbols":{"description":"Symbols specifies the number of symbol characters in the generated\npassword. If omitted it defaults to 25% of the length of the password","type":"integer"}}}},"x-kubernetes-group-version-kind":[{"group":"generators.external-secrets.io","kind":"Password","version":"v1alpha1"}],"title":"io.external-secrets.generators.v1alpha1.Password"},"io.external-secrets.generators.v1alpha1.PasswordList":{"description":"PasswordList is a list of Password","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of passwords. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.generators.v1alpha1.Password"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"generators.external-secrets.io","kind":"PasswordList","version":"v1alpha1"}],"title":"io.external-secrets.generators.v1alpha1.PasswordList"},"io.external-secrets.generators.v1alpha1.VaultDynamicSecret":{"type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["path","provider"],"properties":{"controller":{"description":"Used to select the correct ESO controller (think: ingress.ingressClassName)\nThe ESO controller is instantiated with a specific controller name and filters VDS based on this property","type":"string"},"method":{"description":"Vault API method to use (GET/POST/other)","type":"string"},"parameters":{"description":"Parameters to pass to Vault write (for non-GET methods)","x-kubernetes-preserve-unknown-fields":true},"path":{"description":"Vault path to obtain the dynamic secret from","type":"string"},"provider":{"description":"Vault provider common spec","type":"object","required":["auth","server"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with the Vault server.","type":"object","properties":{"appRole":{"description":"AppRole authenticates with Vault using the App Role auth mechanism,\nwith the role and secret stored in a Kubernetes Secret resource.","type":"object","required":["path","secretRef"],"properties":{"path":{"description":"Path where the App Role authentication backend is mounted\nin Vault, e.g: \"approle\"","type":"string"},"roleId":{"description":"RoleID configured in the App Role authentication backend when setting\nup the authentication backend in Vault.","type":"string"},"roleRef":{"description":"Reference to a key in a Secret that contains the App Role ID used\nto authenticate with Vault.\nThe `key` field must be specified and denotes which entry within the Secret\nresource is used as the app role id.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretRef":{"description":"Reference to a key in a Secret that contains the App Role secret used\nto authenticate with Vault.\nThe `key` field must be specified and denotes which entry within the Secret\nresource is used as the app role secret.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"cert":{"description":"Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate\nCert authentication method","type":"object","properties":{"clientCert":{"description":"ClientCert is a certificate to authenticate using the Cert Vault\nauthentication method","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretRef":{"description":"SecretRef to a key in a Secret resource containing client private key to\nauthenticate with Vault using the Cert authentication method","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"iam":{"description":"Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials\nAWS IAM authentication method","type":"object","required":["vaultRole"],"properties":{"externalID":{"description":"AWS External ID set on assumed IAM roles","type":"string"},"jwt":{"description":"Specify a service account with IRSA enabled","type":"object","properties":{"serviceAccountRef":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"path":{"description":"Path where the AWS auth method is enabled in Vault, e.g: \"aws\"","type":"string"},"region":{"description":"AWS region","type":"string"},"role":{"description":"This is the AWS role to be assumed before talking to vault","type":"string"},"secretRef":{"description":"Specify credentials in a Secret object","type":"object","properties":{"accessKeyIDSecretRef":{"description":"The AccessKeyID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"sessionTokenSecretRef":{"description":"The SessionToken used for authentication\nThis must be defined if AccessKeyID and SecretAccessKey are temporary credentials\nsee: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"vaultAwsIamServerID":{"description":"X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws","type":"string"},"vaultRole":{"description":"Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine","type":"string"}}},"jwt":{"description":"Jwt authenticates with Vault by passing role and JWT token using the\nJWT/OIDC authentication method","type":"object","required":["path"],"properties":{"kubernetesServiceAccountToken":{"description":"Optional ServiceAccountToken specifies the Kubernetes service account for which to request\na token for with the `TokenRequest` API.","type":"object","required":["serviceAccountRef"],"properties":{"audiences":{"description":"Optional audiences field that will be used to request a temporary Kubernetes service\naccount token for the service account referenced by `serviceAccountRef`.\nDefaults to a single audience `vault` it not specified.\nDeprecated: use serviceAccountRef.Audiences instead","type":"array","items":{"type":"string"}},"expirationSeconds":{"description":"Optional expiration time in seconds that will be used to request a temporary\nKubernetes service account token for the service account referenced by\n`serviceAccountRef`.\nDeprecated: this will be removed in the future.\nDefaults to 10 minutes.","type":"integer","format":"int64"},"serviceAccountRef":{"description":"Service account field containing the name of a kubernetes ServiceAccount.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"path":{"description":"Path where the JWT authentication backend is mounted\nin Vault, e.g: \"jwt\"","type":"string"},"role":{"description":"Role is a JWT role to authenticate using the JWT/OIDC Vault\nauthentication method","type":"string"},"secretRef":{"description":"Optional SecretRef that refers to a key in a Secret resource containing JWT token to\nauthenticate with Vault using the JWT/OIDC authentication method.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"kubernetes":{"description":"Kubernetes authenticates with Vault by passing the ServiceAccount\ntoken stored in the named Secret resource to the Vault server.","type":"object","required":["mountPath","role"],"properties":{"mountPath":{"description":"Path where the Kubernetes authentication backend is mounted in Vault, e.g:\n\"kubernetes\"","type":"string"},"role":{"description":"A required field containing the Vault Role to assume. A Role binds a\nKubernetes ServiceAccount with a set of Vault policies.","type":"string"},"secretRef":{"description":"Optional secret field containing a Kubernetes ServiceAccount JWT used\nfor authenticating with Vault. If a name is specified without a key,\n`token` is the default. If one is not specified, the one bound to\nthe controller will be used.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"serviceAccountRef":{"description":"Optional service account field containing the name of a kubernetes ServiceAccount.\nIf the service account is specified, the service account secret token JWT will be used\nfor authenticating with Vault. If the service account selector is not supplied,\nthe secretRef will be used instead.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"ldap":{"description":"Ldap authenticates with Vault by passing username/password pair using\nthe LDAP authentication method","type":"object","required":["path","username"],"properties":{"path":{"description":"Path where the LDAP authentication backend is mounted\nin Vault, e.g: \"ldap\"","type":"string"},"secretRef":{"description":"SecretRef to a key in a Secret resource containing password for the LDAP\nuser used to authenticate with Vault using the LDAP authentication\nmethod","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"username":{"description":"Username is a LDAP user name used to authenticate using the LDAP Vault\nauthentication method","type":"string"}}},"tokenSecretRef":{"description":"TokenSecretRef authenticates with Vault by presenting a token.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"userPass":{"description":"UserPass authenticates with Vault by passing username/password pair","type":"object","required":["path","username"],"properties":{"path":{"description":"Path where the UserPassword authentication backend is mounted\nin Vault, e.g: \"user\"","type":"string"},"secretRef":{"description":"SecretRef to a key in a Secret resource containing password for the\nuser used to authenticate with Vault using the UserPass authentication\nmethod","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"username":{"description":"Username is a user name used to authenticate using the UserPass Vault\nauthentication method","type":"string"}}}}},"caBundle":{"description":"PEM encoded CA bundle used to validate Vault server certificate. Only used\nif the Server URL is using HTTPS protocol. This parameter is ignored for\nplain HTTP protocol connection. If not set the system root certificates\nare used to validate the TLS connection.","type":"string","format":"byte"},"caProvider":{"description":"The provider for the CA bundle to use to validate Vault server certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key where the CA certificate can be found in the Secret or ConfigMap.","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.\nCan only be defined when used in a ClusterSecretStore.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"forwardInconsistent":{"description":"ForwardInconsistent tells Vault to forward read-after-write requests to the Vault\nleader instead of simply retrying within a loop. This can increase performance if\nthe option is enabled serverside.\nhttps://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header","type":"boolean"},"namespace":{"description":"Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows\nVault environments to support Secure Multi-tenancy. e.g: \"ns1\".\nMore about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces","type":"string"},"path":{"description":"Path is the mount path of the Vault KV backend endpoint, e.g:\n\"secret\". The v2 KV secret engine version specific \"/data\" path suffix\nfor fetching secrets from Vault is optional and will be appended\nif not present in specified path.","type":"string"},"readYourWrites":{"description":"ReadYourWrites ensures isolated read-after-write semantics by\nproviding discovered cluster replication states in each request.\nMore information about eventual consistency in Vault can be found here\nhttps://www.vaultproject.io/docs/enterprise/consistency","type":"boolean"},"server":{"description":"Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\".","type":"string"},"tls":{"description":"The configuration used for client side related TLS communication, when the Vault server\nrequires mutual authentication. Only used if the Server URL is using HTTPS protocol.\nThis parameter is ignored for plain HTTP protocol connection.\nIt's worth noting this configuration is different from the \"TLS certificates auth method\",\nwhich is available under the `auth.cert` section.","type":"object","properties":{"certSecretRef":{"description":"CertSecretRef is a certificate added to the transport layer\nwhen communicating with the Vault server.\nIf no key for the Secret is specified, external-secret will default to 'tls.crt'.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"keySecretRef":{"description":"KeySecretRef to a key in a Secret resource containing client private key\nadded to the transport layer when communicating with the Vault server.\nIf no key for the Secret is specified, external-secret will default to 'tls.key'.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"version":{"description":"Version is the Vault KV secret engine version. This can be either \"v1\" or\n\"v2\". Version defaults to \"v2\".","type":"string","enum":["v1","v2"]}}},"resultType":{"description":"Result type defines which data is returned from the generator.\nBy default it is the \"data\" section of the Vault API response.\nWhen using e.g. /auth/token/create the \"data\" section is empty but\nthe \"auth\" section contains the generated token.\nPlease refer to the vault docs regarding the result data structure.","type":"string","enum":["Data","Auth"]}}}},"x-kubernetes-group-version-kind":[{"group":"generators.external-secrets.io","kind":"VaultDynamicSecret","version":"v1alpha1"}],"title":"io.external-secrets.generators.v1alpha1.VaultDynamicSecret"},"io.external-secrets.generators.v1alpha1.VaultDynamicSecretList":{"description":"VaultDynamicSecretList is a list of VaultDynamicSecret","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of vaultdynamicsecrets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.generators.v1alpha1.VaultDynamicSecret"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"generators.external-secrets.io","kind":"VaultDynamicSecretList","version":"v1alpha1"}],"title":"io.external-secrets.generators.v1alpha1.VaultDynamicSecretList"},"io.external-secrets.generators.v1alpha1.Webhook":{"description":"Webhook connects to a third party API server to handle the secrets generation\nconfiguration parameters in spec.\nYou can specify the server, the token, and additional body parameters.\nSee documentation for the full API specification for requests and responses.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.","type":"object","required":["result","url"],"properties":{"body":{"description":"Body","type":"string"},"caBundle":{"description":"PEM encoded CA bundle used to validate webhook server certificate. Only used\nif the Server URL is using HTTPS protocol. This parameter is ignored for\nplain HTTP protocol connection. If not set the system root certificates\nare used to validate the TLS connection.","type":"string","format":"byte"},"caProvider":{"description":"The provider for the CA bundle to use to validate webhook server certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key the value inside of the provider type to use, only used with \"Secret\" type","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"headers":{"description":"Headers","type":"object","additionalProperties":{"type":"string"}},"method":{"description":"Webhook Method","type":"string"},"result":{"description":"Result formatting","type":"object","properties":{"jsonPath":{"description":"Json path of return value","type":"string"}}},"secrets":{"description":"Secrets to fill in templates\nThese secrets will be passed to the templating function as key value pairs under the given name","type":"array","items":{"type":"object","required":["name","secretRef"],"properties":{"name":{"description":"Name of this secret in templates","type":"string"},"secretRef":{"description":"Secret ref to fill in credentials","type":"object","properties":{"key":{"description":"The key where the token is found.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"}}}}}},"timeout":{"description":"Timeout","type":"string"},"url":{"description":"Webhook url to call","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"generators.external-secrets.io","kind":"Webhook","version":"v1alpha1"}],"title":"io.external-secrets.generators.v1alpha1.Webhook"},"io.external-secrets.generators.v1alpha1.WebhookList":{"description":"WebhookList is a list of Webhook","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of webhooks. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.generators.v1alpha1.Webhook"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"generators.external-secrets.io","kind":"WebhookList","version":"v1alpha1"}],"title":"io.external-secrets.generators.v1alpha1.WebhookList"},"io.external-secrets.v1alpha1.ClusterSecretStore":{"description":"ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"SecretStoreSpec defines the desired state of SecretStore.","type":"object","required":["provider"],"properties":{"controller":{"description":"Used to select the correct ESO controller (think: ingress.ingressClassName)\nThe ESO controller is instantiated with a specific controller name and filters ES based on this property","type":"string"},"provider":{"description":"Used to configure the provider. Only one provider may be set","type":"object","maxProperties":1,"minProperties":1,"properties":{"akeyless":{"description":"Akeyless configures this store to sync secrets using Akeyless Vault provider","type":"object","required":["akeylessGWApiURL","authSecretRef"],"properties":{"akeylessGWApiURL":{"description":"Akeyless GW API Url from which the secrets to be fetched from.","type":"string"},"authSecretRef":{"description":"Auth configures how the operator authenticates with Akeyless.","type":"object","properties":{"kubernetesAuth":{"description":"Kubernetes authenticates with Akeyless by passing the ServiceAccount\ntoken stored in the named Secret resource.","type":"object","required":["accessID","k8sConfName"],"properties":{"accessID":{"description":"the Akeyless Kubernetes auth-method access-id","type":"string"},"k8sConfName":{"description":"Kubernetes-auth configuration name in Akeyless-Gateway","type":"string"},"secretRef":{"description":"Optional secret field containing a Kubernetes ServiceAccount JWT used\nfor authenticating with Akeyless. If a name is specified without a key,\n`token` is the default. If one is not specified, the one bound to\nthe controller will be used.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"serviceAccountRef":{"description":"Optional service account field containing the name of a kubernetes ServiceAccount.\nIf the service account is specified, the service account secret token JWT will be used\nfor authenticating with Akeyless. If the service account selector is not supplied,\nthe secretRef will be used instead.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"secretRef":{"description":"Reference to a Secret that contains the details\nto authenticate with Akeyless.","type":"object","properties":{"accessID":{"description":"The SecretAccessID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"accessType":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"accessTypeParam":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"caBundle":{"description":"PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used\nif the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates\nare used to validate the TLS connection.","type":"string","format":"byte"},"caProvider":{"description":"The provider for the CA bundle to use to validate Akeyless Gateway certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key the value inside of the provider type to use, only used with \"Secret\" type","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}}}},"alibaba":{"description":"Alibaba configures this store to sync secrets using Alibaba Cloud provider","type":"object","required":["auth","regionID"],"properties":{"auth":{"description":"AlibabaAuth contains a secretRef for credentials.","type":"object","properties":{"rrsa":{"description":"Authenticate against Alibaba using RRSA.","type":"object","required":["oidcProviderArn","oidcTokenFilePath","roleArn","sessionName"],"properties":{"oidcProviderArn":{"type":"string"},"oidcTokenFilePath":{"type":"string"},"roleArn":{"type":"string"},"sessionName":{"type":"string"}}},"secretRef":{"description":"AlibabaAuthSecretRef holds secret references for Alibaba credentials.","type":"object","required":["accessKeyIDSecretRef","accessKeySecretSecretRef"],"properties":{"accessKeyIDSecretRef":{"description":"The AccessKeyID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"accessKeySecretSecretRef":{"description":"The AccessKeySecret is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"regionID":{"description":"Alibaba Region to be used for the provider","type":"string"}}},"aws":{"description":"AWS configures this store to sync secrets using AWS Secret Manager provider","type":"object","required":["region","service"],"properties":{"auth":{"description":"Auth defines the information necessary to authenticate against AWS\nif not set aws sdk will infer credentials from your environment\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials","type":"object","properties":{"jwt":{"description":"Authenticate against AWS using service account tokens.","type":"object","properties":{"serviceAccountRef":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"secretRef":{"description":"AWSAuthSecretRef holds secret references for AWS credentials\nboth AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.","type":"object","properties":{"accessKeyIDSecretRef":{"description":"The AccessKeyID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"region":{"description":"AWS Region to be used for the provider","type":"string"},"role":{"description":"Role is a Role ARN which the SecretManager provider will assume","type":"string"},"service":{"description":"Service defines which service should be used to fetch the secrets","type":"string","enum":["SecretsManager","ParameterStore"]}}},"azurekv":{"description":"AzureKV configures this store to sync secrets using Azure Key Vault provider","type":"object","required":["vaultUrl"],"properties":{"authSecretRef":{"description":"Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.","type":"object","properties":{"clientId":{"description":"The Azure clientId of the service principle used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"clientSecret":{"description":"The Azure ClientSecret of the service principle used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"authType":{"description":"Auth type defines how to authenticate to the keyvault service.\nValid values are:\n- \"ServicePrincipal\" (default): Using a service principal (tenantId, clientId, clientSecret)\n- \"ManagedIdentity\": Using Managed Identity assigned to the pod (see aad-pod-identity)","type":"string","enum":["ServicePrincipal","ManagedIdentity","WorkloadIdentity"]},"identityId":{"description":"If multiple Managed Identity is assigned to the pod, you can select the one to be used","type":"string"},"serviceAccountRef":{"description":"ServiceAccountRef specified the service account\nthat should be used when authenticating with WorkloadIdentity.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"tenantId":{"description":"TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.","type":"string"},"vaultUrl":{"description":"Vault Url from which the secrets to be fetched from.","type":"string"}}},"fake":{"description":"Fake configures a store with static key/value pairs","type":"object","required":["data"],"properties":{"data":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"value":{"type":"string"},"valueMap":{"type":"object","additionalProperties":{"type":"string"}},"version":{"type":"string"}}}}}},"gcpsm":{"description":"GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider","type":"object","properties":{"auth":{"description":"Auth defines the information necessary to authenticate against GCP","type":"object","properties":{"secretRef":{"type":"object","properties":{"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"workloadIdentity":{"type":"object","required":["clusterLocation","clusterName","serviceAccountRef"],"properties":{"clusterLocation":{"type":"string"},"clusterName":{"type":"string"},"clusterProjectID":{"type":"string"},"serviceAccountRef":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"projectID":{"description":"ProjectID project where secret is located","type":"string"}}},"gitlab":{"description":"GitLab configures this store to sync secrets using GitLab Variables provider","type":"object","required":["auth"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with a GitLab instance.","type":"object","required":["SecretRef"],"properties":{"SecretRef":{"type":"object","properties":{"accessToken":{"description":"AccessToken is used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"projectID":{"description":"ProjectID specifies a project where secrets are located.","type":"string"},"url":{"description":"URL configures the GitLab instance URL. Defaults to https://gitlab.com/.","type":"string"}}},"ibm":{"description":"IBM configures this store to sync secrets using IBM Cloud provider","type":"object","required":["auth"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with the IBM secrets manager.","type":"object","required":["secretRef"],"properties":{"secretRef":{"type":"object","properties":{"secretApiKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"serviceUrl":{"description":"ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance","type":"string"}}},"kubernetes":{"description":"Kubernetes configures this store to sync secrets using a Kubernetes cluster provider","type":"object","required":["auth"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with a Kubernetes instance.","type":"object","maxProperties":1,"minProperties":1,"properties":{"cert":{"description":"has both clientCert and clientKey as secretKeySelector","type":"object","properties":{"clientCert":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"clientKey":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"serviceAccount":{"description":"points to a service account that should be used for authentication","type":"object","properties":{"serviceAccount":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"token":{"description":"use static token to authenticate with","type":"object","properties":{"bearerToken":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"remoteNamespace":{"description":"Remote namespace to fetch the secrets from","type":"string"},"server":{"description":"configures the Kubernetes server Address.","type":"object","properties":{"caBundle":{"description":"CABundle is a base64-encoded CA certificate","type":"string","format":"byte"},"caProvider":{"description":"see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider","type":"object","required":["name","type"],"properties":{"key":{"description":"The key the value inside of the provider type to use, only used with \"Secret\" type","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"url":{"description":"configures the Kubernetes server Address.","type":"string"}}}}},"oracle":{"description":"Oracle configures this store to sync secrets using Oracle Vault provider","type":"object","required":["region","vault"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with the Oracle Vault.\nIf empty, instance principal is used. Optionally, the authenticating principal type\nand/or user data may be supplied for the use of workload identity and user principal.","type":"object","required":["secretRef","tenancy","user"],"properties":{"secretRef":{"description":"SecretRef to pass through sensitive information.","type":"object","required":["fingerprint","privatekey"],"properties":{"fingerprint":{"description":"Fingerprint is the fingerprint of the API private key.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"privatekey":{"description":"PrivateKey is the user's API Signing Key in PEM format, used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"tenancy":{"description":"Tenancy is the tenancy OCID where user is located.","type":"string"},"user":{"description":"User is an access OCID specific to the account.","type":"string"}}},"compartment":{"description":"Compartment is the vault compartment OCID.\nRequired for PushSecret","type":"string"},"encryptionKey":{"description":"EncryptionKey is the OCID of the encryption key within the vault.\nRequired for PushSecret","type":"string"},"principalType":{"description":"The type of principal to use for authentication. If left blank, the Auth struct will\ndetermine the principal type. This optional field must be specified if using\nworkload identity.","type":"string","enum":["","UserPrincipal","InstancePrincipal","Workload"]},"region":{"description":"Region is the region where vault is located.","type":"string"},"serviceAccountRef":{"description":"ServiceAccountRef specified the service account\nthat should be used when authenticating with WorkloadIdentity.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"vault":{"description":"Vault is the vault's OCID of the specific vault where secret is located.","type":"string"}}},"vault":{"description":"Vault configures this store to sync secrets using Hashi provider","type":"object","required":["auth","server"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with the Vault server.","type":"object","properties":{"appRole":{"description":"AppRole authenticates with Vault using the App Role auth mechanism,\nwith the role and secret stored in a Kubernetes Secret resource.","type":"object","required":["path","roleId","secretRef"],"properties":{"path":{"description":"Path where the App Role authentication backend is mounted\nin Vault, e.g: \"approle\"","type":"string"},"roleId":{"description":"RoleID configured in the App Role authentication backend when setting\nup the authentication backend in Vault.","type":"string"},"secretRef":{"description":"Reference to a key in a Secret that contains the App Role secret used\nto authenticate with Vault.\nThe `key` field must be specified and denotes which entry within the Secret\nresource is used as the app role secret.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"cert":{"description":"Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate\nCert authentication method","type":"object","properties":{"clientCert":{"description":"ClientCert is a certificate to authenticate using the Cert Vault\nauthentication method","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretRef":{"description":"SecretRef to a key in a Secret resource containing client private key to\nauthenticate with Vault using the Cert authentication method","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"jwt":{"description":"Jwt authenticates with Vault by passing role and JWT token using the\nJWT/OIDC authentication method","type":"object","required":["path"],"properties":{"kubernetesServiceAccountToken":{"description":"Optional ServiceAccountToken specifies the Kubernetes service account for which to request\na token for with the `TokenRequest` API.","type":"object","required":["serviceAccountRef"],"properties":{"audiences":{"description":"Optional audiences field that will be used to request a temporary Kubernetes service\naccount token for the service account referenced by `serviceAccountRef`.\nDefaults to a single audience `vault` it not specified.","type":"array","items":{"type":"string"}},"expirationSeconds":{"description":"Optional expiration time in seconds that will be used to request a temporary\nKubernetes service account token for the service account referenced by\n`serviceAccountRef`.\nDefaults to 10 minutes.","type":"integer","format":"int64"},"serviceAccountRef":{"description":"Service account field containing the name of a kubernetes ServiceAccount.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"path":{"description":"Path where the JWT authentication backend is mounted\nin Vault, e.g: \"jwt\"","type":"string"},"role":{"description":"Role is a JWT role to authenticate using the JWT/OIDC Vault\nauthentication method","type":"string"},"secretRef":{"description":"Optional SecretRef that refers to a key in a Secret resource containing JWT token to\nauthenticate with Vault using the JWT/OIDC authentication method.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"kubernetes":{"description":"Kubernetes authenticates with Vault by passing the ServiceAccount\ntoken stored in the named Secret resource to the Vault server.","type":"object","required":["mountPath","role"],"properties":{"mountPath":{"description":"Path where the Kubernetes authentication backend is mounted in Vault, e.g:\n\"kubernetes\"","type":"string"},"role":{"description":"A required field containing the Vault Role to assume. A Role binds a\nKubernetes ServiceAccount with a set of Vault policies.","type":"string"},"secretRef":{"description":"Optional secret field containing a Kubernetes ServiceAccount JWT used\nfor authenticating with Vault. If a name is specified without a key,\n`token` is the default. If one is not specified, the one bound to\nthe controller will be used.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"serviceAccountRef":{"description":"Optional service account field containing the name of a kubernetes ServiceAccount.\nIf the service account is specified, the service account secret token JWT will be used\nfor authenticating with Vault. If the service account selector is not supplied,\nthe secretRef will be used instead.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"ldap":{"description":"Ldap authenticates with Vault by passing username/password pair using\nthe LDAP authentication method","type":"object","required":["path","username"],"properties":{"path":{"description":"Path where the LDAP authentication backend is mounted\nin Vault, e.g: \"ldap\"","type":"string"},"secretRef":{"description":"SecretRef to a key in a Secret resource containing password for the LDAP\nuser used to authenticate with Vault using the LDAP authentication\nmethod","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"username":{"description":"Username is a LDAP user name used to authenticate using the LDAP Vault\nauthentication method","type":"string"}}},"tokenSecretRef":{"description":"TokenSecretRef authenticates with Vault by presenting a token.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"caBundle":{"description":"PEM encoded CA bundle used to validate Vault server certificate. Only used\nif the Server URL is using HTTPS protocol. This parameter is ignored for\nplain HTTP protocol connection. If not set the system root certificates\nare used to validate the TLS connection.","type":"string","format":"byte"},"caProvider":{"description":"The provider for the CA bundle to use to validate Vault server certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key the value inside of the provider type to use, only used with \"Secret\" type","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"forwardInconsistent":{"description":"ForwardInconsistent tells Vault to forward read-after-write requests to the Vault\nleader instead of simply retrying within a loop. This can increase performance if\nthe option is enabled serverside.\nhttps://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header","type":"boolean"},"namespace":{"description":"Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows\nVault environments to support Secure Multi-tenancy. e.g: \"ns1\".\nMore about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces","type":"string"},"path":{"description":"Path is the mount path of the Vault KV backend endpoint, e.g:\n\"secret\". The v2 KV secret engine version specific \"/data\" path suffix\nfor fetching secrets from Vault is optional and will be appended\nif not present in specified path.","type":"string"},"readYourWrites":{"description":"ReadYourWrites ensures isolated read-after-write semantics by\nproviding discovered cluster replication states in each request.\nMore information about eventual consistency in Vault can be found here\nhttps://www.vaultproject.io/docs/enterprise/consistency","type":"boolean"},"server":{"description":"Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\".","type":"string"},"version":{"description":"Version is the Vault KV secret engine version. This can be either \"v1\" or\n\"v2\". Version defaults to \"v2\".","type":"string","enum":["v1","v2"]}}},"webhook":{"description":"Webhook configures this store to sync secrets using a generic templated webhook","type":"object","required":["result","url"],"properties":{"body":{"description":"Body","type":"string"},"caBundle":{"description":"PEM encoded CA bundle used to validate webhook server certificate. Only used\nif the Server URL is using HTTPS protocol. This parameter is ignored for\nplain HTTP protocol connection. If not set the system root certificates\nare used to validate the TLS connection.","type":"string","format":"byte"},"caProvider":{"description":"The provider for the CA bundle to use to validate webhook server certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key the value inside of the provider type to use, only used with \"Secret\" type","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"headers":{"description":"Headers","type":"object","additionalProperties":{"type":"string"}},"method":{"description":"Webhook Method","type":"string"},"result":{"description":"Result formatting","type":"object","properties":{"jsonPath":{"description":"Json path of return value","type":"string"}}},"secrets":{"description":"Secrets to fill in templates\nThese secrets will be passed to the templating function as key value pairs under the given name","type":"array","items":{"type":"object","required":["name","secretRef"],"properties":{"name":{"description":"Name of this secret in templates","type":"string"},"secretRef":{"description":"Secret ref to fill in credentials","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}},"timeout":{"description":"Timeout","type":"string"},"url":{"description":"Webhook url to call","type":"string"}}},"yandexlockbox":{"description":"YandexLockbox configures this store to sync secrets using Yandex Lockbox provider","type":"object","required":["auth"],"properties":{"apiEndpoint":{"description":"Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')","type":"string"},"auth":{"description":"Auth defines the information necessary to authenticate against Yandex Lockbox","type":"object","properties":{"authorizedKeySecretRef":{"description":"The authorized key used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"caProvider":{"description":"The provider for the CA bundle to use to validate Yandex.Cloud server certificate.","type":"object","properties":{"certSecretRef":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}}}},"retrySettings":{"description":"Used to configure http retries if failed","type":"object","properties":{"maxRetries":{"type":"integer","format":"int32"},"retryInterval":{"type":"string"}}}}},"status":{"description":"SecretStoreStatus defines the observed state of the SecretStore.","type":"object","properties":{"conditions":{"type":"array","items":{"type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"type":"string","format":"date-time"},"message":{"type":"string"},"reason":{"type":"string"},"status":{"type":"string"},"type":{"type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"ClusterSecretStore","version":"v1alpha1"}],"title":"io.external-secrets.v1alpha1.ClusterSecretStore"},"io.external-secrets.v1alpha1.ClusterSecretStoreList":{"description":"ClusterSecretStoreList is a list of ClusterSecretStore","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clustersecretstores. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.v1alpha1.ClusterSecretStore"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"ClusterSecretStoreList","version":"v1alpha1"}],"title":"io.external-secrets.v1alpha1.ClusterSecretStoreList"},"io.external-secrets.v1alpha1.ExternalSecret":{"description":"ExternalSecret is the Schema for the external-secrets API.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ExternalSecretSpec defines the desired state of ExternalSecret.","type":"object","required":["secretStoreRef","target"],"properties":{"data":{"description":"Data defines the connection between the Kubernetes Secret keys and the Provider data","type":"array","items":{"description":"ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.","type":"object","required":["remoteRef","secretKey"],"properties":{"remoteRef":{"description":"ExternalSecretDataRemoteRef defines Provider data location.","type":"object","required":["key"],"properties":{"conversionStrategy":{"description":"Used to define a conversion Strategy","type":"string","enum":["Default","Unicode"]},"key":{"description":"Key is the key used in the Provider, mandatory","type":"string"},"property":{"description":"Used to select a specific property of the Provider value (if a map), if supported","type":"string"},"version":{"description":"Used to select a specific version of the Provider value, if supported","type":"string"}}},"secretKey":{"type":"string"}}}},"dataFrom":{"description":"DataFrom is used to fetch all properties from a specific Provider data\nIf multiple entries are specified, the Secret keys are merged in the specified order","type":"array","items":{"description":"ExternalSecretDataRemoteRef defines Provider data location.","type":"object","required":["key"],"properties":{"conversionStrategy":{"description":"Used to define a conversion Strategy","type":"string","enum":["Default","Unicode"]},"key":{"description":"Key is the key used in the Provider, mandatory","type":"string"},"property":{"description":"Used to select a specific property of the Provider value (if a map), if supported","type":"string"},"version":{"description":"Used to select a specific version of the Provider value, if supported","type":"string"}}}},"refreshInterval":{"description":"RefreshInterval is the amount of time before the values are read again from the SecretStore provider\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\"\nMay be set to zero to fetch and create it once. Defaults to 1h.","type":"string"},"secretStoreRef":{"description":"SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.","type":"object","required":["name"],"properties":{"kind":{"description":"Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`","type":"string"},"name":{"description":"Name of the SecretStore resource","type":"string"}}},"target":{"description":"ExternalSecretTarget defines the Kubernetes Secret to be created\nThere can be only one target per ExternalSecret.","type":"object","properties":{"creationPolicy":{"description":"CreationPolicy defines rules on how to create the resulting Secret\nDefaults to 'Owner'","type":"string","enum":["Owner","Merge","None"]},"immutable":{"description":"Immutable defines if the final secret will be immutable","type":"boolean"},"name":{"description":"Name defines the name of the Secret resource to be managed\nThis field is immutable\nDefaults to the .metadata.name of the ExternalSecret resource","type":"string"},"template":{"description":"Template defines a blueprint for the created Secret resource.","type":"object","properties":{"data":{"type":"object","additionalProperties":{"type":"string"}},"engineVersion":{"description":"EngineVersion specifies the template engine version\nthat should be used to compile/execute the\ntemplate specified in .data and .templateFrom[].","type":"string","enum":["v1","v2"]},"metadata":{"description":"ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.","type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"templateFrom":{"type":"array","items":{"type":"object","maxProperties":1,"minProperties":1,"properties":{"configMap":{"type":"object","required":["items","name"],"properties":{"items":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"}}}},"name":{"type":"string"}}},"secret":{"type":"object","required":["items","name"],"properties":{"items":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"}}}},"name":{"type":"string"}}}}}},"type":{"type":"string"}}}}}}},"status":{"type":"object","properties":{"binding":{"description":"Binding represents a servicebinding.io Provisioned Service reference to the secret","type":"object","properties":{"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?","type":"string"}},"x-kubernetes-map-type":"atomic"},"conditions":{"type":"array","items":{"type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"type":"string","format":"date-time"},"message":{"type":"string"},"reason":{"type":"string"},"status":{"type":"string"},"type":{"type":"string"}}}},"refreshTime":{"description":"refreshTime is the time and date the external secret was fetched and\nthe target secret updated","format":"date-time"},"syncedResourceVersion":{"description":"SyncedResourceVersion keeps track of the last synced version","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"ExternalSecret","version":"v1alpha1"}],"title":"io.external-secrets.v1alpha1.ExternalSecret"},"io.external-secrets.v1alpha1.ExternalSecretList":{"description":"ExternalSecretList is a list of ExternalSecret","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of externalsecrets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.v1alpha1.ExternalSecret"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"ExternalSecretList","version":"v1alpha1"}],"title":"io.external-secrets.v1alpha1.ExternalSecretList"},"io.external-secrets.v1alpha1.PushSecret":{"type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"PushSecretSpec configures the behavior of the PushSecret.","type":"object","required":["secretStoreRefs","selector"],"properties":{"data":{"description":"Secret Data that should be pushed to providers","type":"array","items":{"type":"object","required":["match"],"properties":{"match":{"description":"Match a given Secret Key to be pushed to the provider.","type":"object","required":["remoteRef"],"properties":{"remoteRef":{"description":"Remote Refs to push to providers.","type":"object","required":["remoteKey"],"properties":{"property":{"description":"Name of the property in the resulting secret","type":"string"},"remoteKey":{"description":"Name of the resulting provider secret.","type":"string"}}},"secretKey":{"description":"Secret Key to be pushed","type":"string"}}},"metadata":{"description":"Metadata is metadata attached to the secret.\nThe structure of metadata is provider specific, please look it up in the provider documentation.","x-kubernetes-preserve-unknown-fields":true}}}},"deletionPolicy":{"description":"Deletion Policy to handle Secrets in the provider. Possible Values: \"Delete/None\". Defaults to \"None\".","type":"string","enum":["Delete","None"]},"refreshInterval":{"description":"The Interval to which External Secrets will try to push a secret definition","type":"string"},"secretStoreRefs":{"type":"array","items":{"type":"object","properties":{"kind":{"description":"Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`","type":"string"},"labelSelector":{"description":"Optionally, sync to secret stores with label selector","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"name":{"description":"Optionally, sync to the SecretStore of the given name","type":"string"}}}},"selector":{"description":"The Secret Selector (k8s source) for the Push Secret","type":"object","required":["secret"],"properties":{"secret":{"description":"Select a Secret to Push.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.","type":"string"}}}}},"template":{"description":"Template defines a blueprint for the created Secret resource.","type":"object","properties":{"data":{"type":"object","additionalProperties":{"type":"string"}},"engineVersion":{"description":"EngineVersion specifies the template engine version\nthat should be used to compile/execute the\ntemplate specified in .data and .templateFrom[].","type":"string","enum":["v1","v2"]},"mergePolicy":{"type":"string","enum":["Replace","Merge"]},"metadata":{"description":"ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.","type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"templateFrom":{"type":"array","items":{"type":"object","properties":{"configMap":{"type":"object","required":["items","name"],"properties":{"items":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"templateAs":{"type":"string","enum":["Values","KeysAndValues"]}}}},"name":{"type":"string"}}},"literal":{"type":"string"},"secret":{"type":"object","required":["items","name"],"properties":{"items":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"templateAs":{"type":"string","enum":["Values","KeysAndValues"]}}}},"name":{"type":"string"}}},"target":{"type":"string","enum":["Data","Annotations","Labels"]}}}},"type":{"type":"string"}}}}},"status":{"description":"PushSecretStatus indicates the history of the status of PushSecret.","type":"object","properties":{"conditions":{"type":"array","items":{"description":"PushSecretStatusCondition indicates the status of the PushSecret.","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"type":"string","format":"date-time"},"message":{"type":"string"},"reason":{"type":"string"},"status":{"type":"string"},"type":{"description":"PushSecretConditionType indicates the condition of the PushSecret.","type":"string"}}}},"refreshTime":{"description":"refreshTime is the time and date the external secret was fetched and\nthe target secret updated","format":"date-time"},"syncedPushSecrets":{"description":"Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore.","type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"object","required":["match"],"properties":{"match":{"description":"Match a given Secret Key to be pushed to the provider.","type":"object","required":["remoteRef"],"properties":{"remoteRef":{"description":"Remote Refs to push to providers.","type":"object","required":["remoteKey"],"properties":{"property":{"description":"Name of the property in the resulting secret","type":"string"},"remoteKey":{"description":"Name of the resulting provider secret.","type":"string"}}},"secretKey":{"description":"Secret Key to be pushed","type":"string"}}},"metadata":{"description":"Metadata is metadata attached to the secret.\nThe structure of metadata is provider specific, please look it up in the provider documentation.","x-kubernetes-preserve-unknown-fields":true}}}}},"syncedResourceVersion":{"description":"SyncedResourceVersion keeps track of the last synced version.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"PushSecret","version":"v1alpha1"}],"title":"io.external-secrets.v1alpha1.PushSecret"},"io.external-secrets.v1alpha1.PushSecretList":{"description":"PushSecretList is a list of PushSecret","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of pushsecrets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.v1alpha1.PushSecret"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"PushSecretList","version":"v1alpha1"}],"title":"io.external-secrets.v1alpha1.PushSecretList"},"io.external-secrets.v1alpha1.SecretStore":{"description":"SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"SecretStoreSpec defines the desired state of SecretStore.","type":"object","required":["provider"],"properties":{"controller":{"description":"Used to select the correct ESO controller (think: ingress.ingressClassName)\nThe ESO controller is instantiated with a specific controller name and filters ES based on this property","type":"string"},"provider":{"description":"Used to configure the provider. Only one provider may be set","type":"object","maxProperties":1,"minProperties":1,"properties":{"akeyless":{"description":"Akeyless configures this store to sync secrets using Akeyless Vault provider","type":"object","required":["akeylessGWApiURL","authSecretRef"],"properties":{"akeylessGWApiURL":{"description":"Akeyless GW API Url from which the secrets to be fetched from.","type":"string"},"authSecretRef":{"description":"Auth configures how the operator authenticates with Akeyless.","type":"object","properties":{"kubernetesAuth":{"description":"Kubernetes authenticates with Akeyless by passing the ServiceAccount\ntoken stored in the named Secret resource.","type":"object","required":["accessID","k8sConfName"],"properties":{"accessID":{"description":"the Akeyless Kubernetes auth-method access-id","type":"string"},"k8sConfName":{"description":"Kubernetes-auth configuration name in Akeyless-Gateway","type":"string"},"secretRef":{"description":"Optional secret field containing a Kubernetes ServiceAccount JWT used\nfor authenticating with Akeyless. If a name is specified without a key,\n`token` is the default. If one is not specified, the one bound to\nthe controller will be used.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"serviceAccountRef":{"description":"Optional service account field containing the name of a kubernetes ServiceAccount.\nIf the service account is specified, the service account secret token JWT will be used\nfor authenticating with Akeyless. If the service account selector is not supplied,\nthe secretRef will be used instead.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"secretRef":{"description":"Reference to a Secret that contains the details\nto authenticate with Akeyless.","type":"object","properties":{"accessID":{"description":"The SecretAccessID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"accessType":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"accessTypeParam":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"caBundle":{"description":"PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used\nif the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates\nare used to validate the TLS connection.","type":"string","format":"byte"},"caProvider":{"description":"The provider for the CA bundle to use to validate Akeyless Gateway certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key the value inside of the provider type to use, only used with \"Secret\" type","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}}}},"alibaba":{"description":"Alibaba configures this store to sync secrets using Alibaba Cloud provider","type":"object","required":["auth","regionID"],"properties":{"auth":{"description":"AlibabaAuth contains a secretRef for credentials.","type":"object","properties":{"rrsa":{"description":"Authenticate against Alibaba using RRSA.","type":"object","required":["oidcProviderArn","oidcTokenFilePath","roleArn","sessionName"],"properties":{"oidcProviderArn":{"type":"string"},"oidcTokenFilePath":{"type":"string"},"roleArn":{"type":"string"},"sessionName":{"type":"string"}}},"secretRef":{"description":"AlibabaAuthSecretRef holds secret references for Alibaba credentials.","type":"object","required":["accessKeyIDSecretRef","accessKeySecretSecretRef"],"properties":{"accessKeyIDSecretRef":{"description":"The AccessKeyID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"accessKeySecretSecretRef":{"description":"The AccessKeySecret is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"regionID":{"description":"Alibaba Region to be used for the provider","type":"string"}}},"aws":{"description":"AWS configures this store to sync secrets using AWS Secret Manager provider","type":"object","required":["region","service"],"properties":{"auth":{"description":"Auth defines the information necessary to authenticate against AWS\nif not set aws sdk will infer credentials from your environment\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials","type":"object","properties":{"jwt":{"description":"Authenticate against AWS using service account tokens.","type":"object","properties":{"serviceAccountRef":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"secretRef":{"description":"AWSAuthSecretRef holds secret references for AWS credentials\nboth AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.","type":"object","properties":{"accessKeyIDSecretRef":{"description":"The AccessKeyID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"region":{"description":"AWS Region to be used for the provider","type":"string"},"role":{"description":"Role is a Role ARN which the SecretManager provider will assume","type":"string"},"service":{"description":"Service defines which service should be used to fetch the secrets","type":"string","enum":["SecretsManager","ParameterStore"]}}},"azurekv":{"description":"AzureKV configures this store to sync secrets using Azure Key Vault provider","type":"object","required":["vaultUrl"],"properties":{"authSecretRef":{"description":"Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.","type":"object","properties":{"clientId":{"description":"The Azure clientId of the service principle used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"clientSecret":{"description":"The Azure ClientSecret of the service principle used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"authType":{"description":"Auth type defines how to authenticate to the keyvault service.\nValid values are:\n- \"ServicePrincipal\" (default): Using a service principal (tenantId, clientId, clientSecret)\n- \"ManagedIdentity\": Using Managed Identity assigned to the pod (see aad-pod-identity)","type":"string","enum":["ServicePrincipal","ManagedIdentity","WorkloadIdentity"]},"identityId":{"description":"If multiple Managed Identity is assigned to the pod, you can select the one to be used","type":"string"},"serviceAccountRef":{"description":"ServiceAccountRef specified the service account\nthat should be used when authenticating with WorkloadIdentity.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"tenantId":{"description":"TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.","type":"string"},"vaultUrl":{"description":"Vault Url from which the secrets to be fetched from.","type":"string"}}},"fake":{"description":"Fake configures a store with static key/value pairs","type":"object","required":["data"],"properties":{"data":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"value":{"type":"string"},"valueMap":{"type":"object","additionalProperties":{"type":"string"}},"version":{"type":"string"}}}}}},"gcpsm":{"description":"GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider","type":"object","properties":{"auth":{"description":"Auth defines the information necessary to authenticate against GCP","type":"object","properties":{"secretRef":{"type":"object","properties":{"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"workloadIdentity":{"type":"object","required":["clusterLocation","clusterName","serviceAccountRef"],"properties":{"clusterLocation":{"type":"string"},"clusterName":{"type":"string"},"clusterProjectID":{"type":"string"},"serviceAccountRef":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"projectID":{"description":"ProjectID project where secret is located","type":"string"}}},"gitlab":{"description":"GitLab configures this store to sync secrets using GitLab Variables provider","type":"object","required":["auth"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with a GitLab instance.","type":"object","required":["SecretRef"],"properties":{"SecretRef":{"type":"object","properties":{"accessToken":{"description":"AccessToken is used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"projectID":{"description":"ProjectID specifies a project where secrets are located.","type":"string"},"url":{"description":"URL configures the GitLab instance URL. Defaults to https://gitlab.com/.","type":"string"}}},"ibm":{"description":"IBM configures this store to sync secrets using IBM Cloud provider","type":"object","required":["auth"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with the IBM secrets manager.","type":"object","required":["secretRef"],"properties":{"secretRef":{"type":"object","properties":{"secretApiKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"serviceUrl":{"description":"ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance","type":"string"}}},"kubernetes":{"description":"Kubernetes configures this store to sync secrets using a Kubernetes cluster provider","type":"object","required":["auth"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with a Kubernetes instance.","type":"object","maxProperties":1,"minProperties":1,"properties":{"cert":{"description":"has both clientCert and clientKey as secretKeySelector","type":"object","properties":{"clientCert":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"clientKey":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"serviceAccount":{"description":"points to a service account that should be used for authentication","type":"object","properties":{"serviceAccount":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"token":{"description":"use static token to authenticate with","type":"object","properties":{"bearerToken":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"remoteNamespace":{"description":"Remote namespace to fetch the secrets from","type":"string"},"server":{"description":"configures the Kubernetes server Address.","type":"object","properties":{"caBundle":{"description":"CABundle is a base64-encoded CA certificate","type":"string","format":"byte"},"caProvider":{"description":"see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider","type":"object","required":["name","type"],"properties":{"key":{"description":"The key the value inside of the provider type to use, only used with \"Secret\" type","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"url":{"description":"configures the Kubernetes server Address.","type":"string"}}}}},"oracle":{"description":"Oracle configures this store to sync secrets using Oracle Vault provider","type":"object","required":["region","vault"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with the Oracle Vault.\nIf empty, instance principal is used. Optionally, the authenticating principal type\nand/or user data may be supplied for the use of workload identity and user principal.","type":"object","required":["secretRef","tenancy","user"],"properties":{"secretRef":{"description":"SecretRef to pass through sensitive information.","type":"object","required":["fingerprint","privatekey"],"properties":{"fingerprint":{"description":"Fingerprint is the fingerprint of the API private key.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"privatekey":{"description":"PrivateKey is the user's API Signing Key in PEM format, used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"tenancy":{"description":"Tenancy is the tenancy OCID where user is located.","type":"string"},"user":{"description":"User is an access OCID specific to the account.","type":"string"}}},"compartment":{"description":"Compartment is the vault compartment OCID.\nRequired for PushSecret","type":"string"},"encryptionKey":{"description":"EncryptionKey is the OCID of the encryption key within the vault.\nRequired for PushSecret","type":"string"},"principalType":{"description":"The type of principal to use for authentication. If left blank, the Auth struct will\ndetermine the principal type. This optional field must be specified if using\nworkload identity.","type":"string","enum":["","UserPrincipal","InstancePrincipal","Workload"]},"region":{"description":"Region is the region where vault is located.","type":"string"},"serviceAccountRef":{"description":"ServiceAccountRef specified the service account\nthat should be used when authenticating with WorkloadIdentity.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"vault":{"description":"Vault is the vault's OCID of the specific vault where secret is located.","type":"string"}}},"vault":{"description":"Vault configures this store to sync secrets using Hashi provider","type":"object","required":["auth","server"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with the Vault server.","type":"object","properties":{"appRole":{"description":"AppRole authenticates with Vault using the App Role auth mechanism,\nwith the role and secret stored in a Kubernetes Secret resource.","type":"object","required":["path","roleId","secretRef"],"properties":{"path":{"description":"Path where the App Role authentication backend is mounted\nin Vault, e.g: \"approle\"","type":"string"},"roleId":{"description":"RoleID configured in the App Role authentication backend when setting\nup the authentication backend in Vault.","type":"string"},"secretRef":{"description":"Reference to a key in a Secret that contains the App Role secret used\nto authenticate with Vault.\nThe `key` field must be specified and denotes which entry within the Secret\nresource is used as the app role secret.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"cert":{"description":"Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate\nCert authentication method","type":"object","properties":{"clientCert":{"description":"ClientCert is a certificate to authenticate using the Cert Vault\nauthentication method","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretRef":{"description":"SecretRef to a key in a Secret resource containing client private key to\nauthenticate with Vault using the Cert authentication method","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"jwt":{"description":"Jwt authenticates with Vault by passing role and JWT token using the\nJWT/OIDC authentication method","type":"object","required":["path"],"properties":{"kubernetesServiceAccountToken":{"description":"Optional ServiceAccountToken specifies the Kubernetes service account for which to request\na token for with the `TokenRequest` API.","type":"object","required":["serviceAccountRef"],"properties":{"audiences":{"description":"Optional audiences field that will be used to request a temporary Kubernetes service\naccount token for the service account referenced by `serviceAccountRef`.\nDefaults to a single audience `vault` it not specified.","type":"array","items":{"type":"string"}},"expirationSeconds":{"description":"Optional expiration time in seconds that will be used to request a temporary\nKubernetes service account token for the service account referenced by\n`serviceAccountRef`.\nDefaults to 10 minutes.","type":"integer","format":"int64"},"serviceAccountRef":{"description":"Service account field containing the name of a kubernetes ServiceAccount.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"path":{"description":"Path where the JWT authentication backend is mounted\nin Vault, e.g: \"jwt\"","type":"string"},"role":{"description":"Role is a JWT role to authenticate using the JWT/OIDC Vault\nauthentication method","type":"string"},"secretRef":{"description":"Optional SecretRef that refers to a key in a Secret resource containing JWT token to\nauthenticate with Vault using the JWT/OIDC authentication method.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"kubernetes":{"description":"Kubernetes authenticates with Vault by passing the ServiceAccount\ntoken stored in the named Secret resource to the Vault server.","type":"object","required":["mountPath","role"],"properties":{"mountPath":{"description":"Path where the Kubernetes authentication backend is mounted in Vault, e.g:\n\"kubernetes\"","type":"string"},"role":{"description":"A required field containing the Vault Role to assume. A Role binds a\nKubernetes ServiceAccount with a set of Vault policies.","type":"string"},"secretRef":{"description":"Optional secret field containing a Kubernetes ServiceAccount JWT used\nfor authenticating with Vault. If a name is specified without a key,\n`token` is the default. If one is not specified, the one bound to\nthe controller will be used.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"serviceAccountRef":{"description":"Optional service account field containing the name of a kubernetes ServiceAccount.\nIf the service account is specified, the service account secret token JWT will be used\nfor authenticating with Vault. If the service account selector is not supplied,\nthe secretRef will be used instead.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"ldap":{"description":"Ldap authenticates with Vault by passing username/password pair using\nthe LDAP authentication method","type":"object","required":["path","username"],"properties":{"path":{"description":"Path where the LDAP authentication backend is mounted\nin Vault, e.g: \"ldap\"","type":"string"},"secretRef":{"description":"SecretRef to a key in a Secret resource containing password for the LDAP\nuser used to authenticate with Vault using the LDAP authentication\nmethod","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"username":{"description":"Username is a LDAP user name used to authenticate using the LDAP Vault\nauthentication method","type":"string"}}},"tokenSecretRef":{"description":"TokenSecretRef authenticates with Vault by presenting a token.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"caBundle":{"description":"PEM encoded CA bundle used to validate Vault server certificate. Only used\nif the Server URL is using HTTPS protocol. This parameter is ignored for\nplain HTTP protocol connection. If not set the system root certificates\nare used to validate the TLS connection.","type":"string","format":"byte"},"caProvider":{"description":"The provider for the CA bundle to use to validate Vault server certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key the value inside of the provider type to use, only used with \"Secret\" type","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"forwardInconsistent":{"description":"ForwardInconsistent tells Vault to forward read-after-write requests to the Vault\nleader instead of simply retrying within a loop. This can increase performance if\nthe option is enabled serverside.\nhttps://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header","type":"boolean"},"namespace":{"description":"Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows\nVault environments to support Secure Multi-tenancy. e.g: \"ns1\".\nMore about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces","type":"string"},"path":{"description":"Path is the mount path of the Vault KV backend endpoint, e.g:\n\"secret\". The v2 KV secret engine version specific \"/data\" path suffix\nfor fetching secrets from Vault is optional and will be appended\nif not present in specified path.","type":"string"},"readYourWrites":{"description":"ReadYourWrites ensures isolated read-after-write semantics by\nproviding discovered cluster replication states in each request.\nMore information about eventual consistency in Vault can be found here\nhttps://www.vaultproject.io/docs/enterprise/consistency","type":"boolean"},"server":{"description":"Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\".","type":"string"},"version":{"description":"Version is the Vault KV secret engine version. This can be either \"v1\" or\n\"v2\". Version defaults to \"v2\".","type":"string","enum":["v1","v2"]}}},"webhook":{"description":"Webhook configures this store to sync secrets using a generic templated webhook","type":"object","required":["result","url"],"properties":{"body":{"description":"Body","type":"string"},"caBundle":{"description":"PEM encoded CA bundle used to validate webhook server certificate. Only used\nif the Server URL is using HTTPS protocol. This parameter is ignored for\nplain HTTP protocol connection. If not set the system root certificates\nare used to validate the TLS connection.","type":"string","format":"byte"},"caProvider":{"description":"The provider for the CA bundle to use to validate webhook server certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key the value inside of the provider type to use, only used with \"Secret\" type","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"headers":{"description":"Headers","type":"object","additionalProperties":{"type":"string"}},"method":{"description":"Webhook Method","type":"string"},"result":{"description":"Result formatting","type":"object","properties":{"jsonPath":{"description":"Json path of return value","type":"string"}}},"secrets":{"description":"Secrets to fill in templates\nThese secrets will be passed to the templating function as key value pairs under the given name","type":"array","items":{"type":"object","required":["name","secretRef"],"properties":{"name":{"description":"Name of this secret in templates","type":"string"},"secretRef":{"description":"Secret ref to fill in credentials","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}},"timeout":{"description":"Timeout","type":"string"},"url":{"description":"Webhook url to call","type":"string"}}},"yandexlockbox":{"description":"YandexLockbox configures this store to sync secrets using Yandex Lockbox provider","type":"object","required":["auth"],"properties":{"apiEndpoint":{"description":"Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')","type":"string"},"auth":{"description":"Auth defines the information necessary to authenticate against Yandex Lockbox","type":"object","properties":{"authorizedKeySecretRef":{"description":"The authorized key used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"caProvider":{"description":"The provider for the CA bundle to use to validate Yandex.Cloud server certificate.","type":"object","properties":{"certSecretRef":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}}}},"retrySettings":{"description":"Used to configure http retries if failed","type":"object","properties":{"maxRetries":{"type":"integer","format":"int32"},"retryInterval":{"type":"string"}}}}},"status":{"description":"SecretStoreStatus defines the observed state of the SecretStore.","type":"object","properties":{"conditions":{"type":"array","items":{"type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"type":"string","format":"date-time"},"message":{"type":"string"},"reason":{"type":"string"},"status":{"type":"string"},"type":{"type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"SecretStore","version":"v1alpha1"}],"title":"io.external-secrets.v1alpha1.SecretStore"},"io.external-secrets.v1alpha1.SecretStoreList":{"description":"SecretStoreList is a list of SecretStore","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of secretstores. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.v1alpha1.SecretStore"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"SecretStoreList","version":"v1alpha1"}],"title":"io.external-secrets.v1alpha1.SecretStoreList"},"io.external-secrets.v1beta1.ClusterExternalSecret":{"description":"ClusterExternalSecret is the Schema for the clusterexternalsecrets API.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.","type":"object","required":["externalSecretSpec"],"properties":{"externalSecretMetadata":{"description":"The metadata of the external secrets to be created","type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"externalSecretName":{"description":"The name of the external secrets to be created defaults to the name of the ClusterExternalSecret","type":"string"},"externalSecretSpec":{"description":"The spec for the ExternalSecrets to be created","type":"object","properties":{"data":{"description":"Data defines the connection between the Kubernetes Secret keys and the Provider data","type":"array","items":{"description":"ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.","type":"object","required":["remoteRef","secretKey"],"properties":{"remoteRef":{"description":"RemoteRef points to the remote secret and defines\nwhich secret (version/property/..) to fetch.","type":"object","required":["key"],"properties":{"conversionStrategy":{"description":"Used to define a conversion Strategy","type":"string","enum":["Default","Unicode"]},"decodingStrategy":{"description":"Used to define a decoding Strategy","type":"string","enum":["Auto","Base64","Base64URL","None"]},"key":{"description":"Key is the key used in the Provider, mandatory","type":"string"},"metadataPolicy":{"description":"Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None","type":"string","enum":["None","Fetch"]},"property":{"description":"Used to select a specific property of the Provider value (if a map), if supported","type":"string"},"version":{"description":"Used to select a specific version of the Provider value, if supported","type":"string"}}},"secretKey":{"description":"SecretKey defines the key in which the controller stores\nthe value. This is the key in the Kind=Secret","type":"string"},"sourceRef":{"description":"SourceRef allows you to override the source\nfrom which the value will pulled from.","type":"object","maxProperties":1,"properties":{"generatorRef":{"description":"GeneratorRef points to a generator custom resource.\n\n\nDeprecated: The generatorRef is not implemented in .data[].\nthis will be removed with v1.","type":"object","required":["kind","name"],"properties":{"apiVersion":{"description":"Specify the apiVersion of the generator resource","type":"string"},"kind":{"description":"Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.","type":"string"},"name":{"description":"Specify the name of the generator resource","type":"string"}}},"storeRef":{"description":"SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.","type":"object","required":["name"],"properties":{"kind":{"description":"Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`","type":"string"},"name":{"description":"Name of the SecretStore resource","type":"string"}}}}}}}},"dataFrom":{"description":"DataFrom is used to fetch all properties from a specific Provider data\nIf multiple entries are specified, the Secret keys are merged in the specified order","type":"array","items":{"type":"object","properties":{"extract":{"description":"Used to extract multiple key/value pairs from one secret\nNote: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.","type":"object","required":["key"],"properties":{"conversionStrategy":{"description":"Used to define a conversion Strategy","type":"string","enum":["Default","Unicode"]},"decodingStrategy":{"description":"Used to define a decoding Strategy","type":"string","enum":["Auto","Base64","Base64URL","None"]},"key":{"description":"Key is the key used in the Provider, mandatory","type":"string"},"metadataPolicy":{"description":"Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None","type":"string","enum":["None","Fetch"]},"property":{"description":"Used to select a specific property of the Provider value (if a map), if supported","type":"string"},"version":{"description":"Used to select a specific version of the Provider value, if supported","type":"string"}}},"find":{"description":"Used to find secrets based on tags or regular expressions\nNote: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.","type":"object","properties":{"conversionStrategy":{"description":"Used to define a conversion Strategy","type":"string","enum":["Default","Unicode"]},"decodingStrategy":{"description":"Used to define a decoding Strategy","type":"string","enum":["Auto","Base64","Base64URL","None"]},"name":{"description":"Finds secrets based on the name.","type":"object","properties":{"regexp":{"description":"Finds secrets base","type":"string"}}},"path":{"description":"A root path to start the find operations.","type":"string"},"tags":{"description":"Find secrets based on tags.","type":"object","additionalProperties":{"type":"string"}}}},"rewrite":{"description":"Used to rewrite secret Keys after getting them from the secret Provider\nMultiple Rewrite operations can be provided. They are applied in a layered order (first to last)","type":"array","items":{"type":"object","properties":{"regexp":{"description":"Used to rewrite with regular expressions.\nThe resulting key will be the output of a regexp.ReplaceAll operation.","type":"object","required":["source","target"],"properties":{"source":{"description":"Used to define the regular expression of a re.Compiler.","type":"string"},"target":{"description":"Used to define the target pattern of a ReplaceAll operation.","type":"string"}}},"transform":{"description":"Used to apply string transformation on the secrets.\nThe resulting key will be the output of the template applied by the operation.","type":"object","required":["template"],"properties":{"template":{"description":"Used to define the template to apply on the secret name.\n`.value ` will specify the secret name in the template.","type":"string"}}}}}},"sourceRef":{"description":"SourceRef points to a store or generator\nwhich contains secret values ready to use.\nUse this in combination with Extract or Find pull values out of\na specific SecretStore.\nWhen sourceRef points to a generator Extract or Find is not supported.\nThe generator returns a static map of values","type":"object","maxProperties":1,"properties":{"generatorRef":{"description":"GeneratorRef points to a generator custom resource.","type":"object","required":["kind","name"],"properties":{"apiVersion":{"description":"Specify the apiVersion of the generator resource","type":"string"},"kind":{"description":"Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.","type":"string"},"name":{"description":"Specify the name of the generator resource","type":"string"}}},"storeRef":{"description":"SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.","type":"object","required":["name"],"properties":{"kind":{"description":"Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`","type":"string"},"name":{"description":"Name of the SecretStore resource","type":"string"}}}}}}}},"refreshInterval":{"description":"RefreshInterval is the amount of time before the values are read again from the SecretStore provider\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\"\nMay be set to zero to fetch and create it once. Defaults to 1h.","type":"string"},"secretStoreRef":{"description":"SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.","type":"object","required":["name"],"properties":{"kind":{"description":"Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`","type":"string"},"name":{"description":"Name of the SecretStore resource","type":"string"}}},"target":{"description":"ExternalSecretTarget defines the Kubernetes Secret to be created\nThere can be only one target per ExternalSecret.","type":"object","properties":{"creationPolicy":{"description":"CreationPolicy defines rules on how to create the resulting Secret\nDefaults to 'Owner'","type":"string","enum":["Owner","Orphan","Merge","None"]},"deletionPolicy":{"description":"DeletionPolicy defines rules on how to delete the resulting Secret\nDefaults to 'Retain'","type":"string","enum":["Delete","Merge","Retain"]},"immutable":{"description":"Immutable defines if the final secret will be immutable","type":"boolean"},"name":{"description":"Name defines the name of the Secret resource to be managed\nThis field is immutable\nDefaults to the .metadata.name of the ExternalSecret resource","type":"string"},"template":{"description":"Template defines a blueprint for the created Secret resource.","type":"object","properties":{"data":{"type":"object","additionalProperties":{"type":"string"}},"engineVersion":{"description":"EngineVersion specifies the template engine version\nthat should be used to compile/execute the\ntemplate specified in .data and .templateFrom[].","type":"string","enum":["v1","v2"]},"mergePolicy":{"type":"string","enum":["Replace","Merge"]},"metadata":{"description":"ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.","type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"templateFrom":{"type":"array","items":{"type":"object","properties":{"configMap":{"type":"object","required":["items","name"],"properties":{"items":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"templateAs":{"type":"string","enum":["Values","KeysAndValues"]}}}},"name":{"type":"string"}}},"literal":{"type":"string"},"secret":{"type":"object","required":["items","name"],"properties":{"items":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"templateAs":{"type":"string","enum":["Values","KeysAndValues"]}}}},"name":{"type":"string"}}},"target":{"type":"string","enum":["Data","Annotations","Labels"]}}}},"type":{"type":"string"}}}}}}},"namespaceSelector":{"description":"The labels to select by to find the Namespaces to create the ExternalSecrets in.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing.","type":"array","items":{"type":"string"}},"refreshTime":{"description":"The time in which the controller should reconcile its objects and recheck namespaces for labels.","type":"string"}}},"status":{"description":"ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.","type":"object","properties":{"conditions":{"type":"array","items":{"type":"object","required":["status","type"],"properties":{"message":{"type":"string"},"status":{"type":"string"},"type":{"type":"string"}}}},"externalSecretName":{"description":"ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret","type":"string"},"failedNamespaces":{"description":"Failed namespaces are the namespaces that failed to apply an ExternalSecret","type":"array","items":{"description":"ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.","type":"object","required":["namespace"],"properties":{"namespace":{"description":"Namespace is the namespace that failed when trying to apply an ExternalSecret","type":"string"},"reason":{"description":"Reason is why the ExternalSecret failed to apply to the namespace","type":"string"}}}},"provisionedNamespaces":{"description":"ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets","type":"array","items":{"type":"string"}}}}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"ClusterExternalSecret","version":"v1beta1"}],"title":"io.external-secrets.v1beta1.ClusterExternalSecret"},"io.external-secrets.v1beta1.ClusterExternalSecretList":{"description":"ClusterExternalSecretList is a list of ClusterExternalSecret","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusterexternalsecrets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.v1beta1.ClusterExternalSecret"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"ClusterExternalSecretList","version":"v1beta1"}],"title":"io.external-secrets.v1beta1.ClusterExternalSecretList"},"io.external-secrets.v1beta1.ClusterSecretStore":{"description":"ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"SecretStoreSpec defines the desired state of SecretStore.","type":"object","required":["provider"],"properties":{"conditions":{"description":"Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore","type":"array","items":{"description":"ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in\nfor a ClusterSecretStore instance.","type":"object","properties":{"namespaceSelector":{"description":"Choose namespace using a labelSelector","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Choose namespaces by name","type":"array","items":{"type":"string"}}}}},"controller":{"description":"Used to select the correct ESO controller (think: ingress.ingressClassName)\nThe ESO controller is instantiated with a specific controller name and filters ES based on this property","type":"string"},"provider":{"description":"Used to configure the provider. Only one provider may be set","type":"object","maxProperties":1,"minProperties":1,"properties":{"akeyless":{"description":"Akeyless configures this store to sync secrets using Akeyless Vault provider","type":"object","required":["akeylessGWApiURL","authSecretRef"],"properties":{"akeylessGWApiURL":{"description":"Akeyless GW API Url from which the secrets to be fetched from.","type":"string"},"authSecretRef":{"description":"Auth configures how the operator authenticates with Akeyless.","type":"object","properties":{"kubernetesAuth":{"description":"Kubernetes authenticates with Akeyless by passing the ServiceAccount\ntoken stored in the named Secret resource.","type":"object","required":["accessID","k8sConfName"],"properties":{"accessID":{"description":"the Akeyless Kubernetes auth-method access-id","type":"string"},"k8sConfName":{"description":"Kubernetes-auth configuration name in Akeyless-Gateway","type":"string"},"secretRef":{"description":"Optional secret field containing a Kubernetes ServiceAccount JWT used\nfor authenticating with Akeyless. If a name is specified without a key,\n`token` is the default. If one is not specified, the one bound to\nthe controller will be used.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"serviceAccountRef":{"description":"Optional service account field containing the name of a kubernetes ServiceAccount.\nIf the service account is specified, the service account secret token JWT will be used\nfor authenticating with Akeyless. If the service account selector is not supplied,\nthe secretRef will be used instead.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"secretRef":{"description":"Reference to a Secret that contains the details\nto authenticate with Akeyless.","type":"object","properties":{"accessID":{"description":"The SecretAccessID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"accessType":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"accessTypeParam":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"caBundle":{"description":"PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used\nif the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates\nare used to validate the TLS connection.","type":"string","format":"byte"},"caProvider":{"description":"The provider for the CA bundle to use to validate Akeyless Gateway certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key where the CA certificate can be found in the Secret or ConfigMap.","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.\nCan only be defined when used in a ClusterSecretStore.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}}}},"alibaba":{"description":"Alibaba configures this store to sync secrets using Alibaba Cloud provider","type":"object","required":["auth","regionID"],"properties":{"auth":{"description":"AlibabaAuth contains a secretRef for credentials.","type":"object","properties":{"rrsa":{"description":"Authenticate against Alibaba using RRSA.","type":"object","required":["oidcProviderArn","oidcTokenFilePath","roleArn","sessionName"],"properties":{"oidcProviderArn":{"type":"string"},"oidcTokenFilePath":{"type":"string"},"roleArn":{"type":"string"},"sessionName":{"type":"string"}}},"secretRef":{"description":"AlibabaAuthSecretRef holds secret references for Alibaba credentials.","type":"object","required":["accessKeyIDSecretRef","accessKeySecretSecretRef"],"properties":{"accessKeyIDSecretRef":{"description":"The AccessKeyID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"accessKeySecretSecretRef":{"description":"The AccessKeySecret is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"regionID":{"description":"Alibaba Region to be used for the provider","type":"string"}}},"aws":{"description":"AWS configures this store to sync secrets using AWS Secret Manager provider","type":"object","required":["region","service"],"properties":{"additionalRoles":{"description":"AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role","type":"array","items":{"type":"string"}},"auth":{"description":"Auth defines the information necessary to authenticate against AWS\nif not set aws sdk will infer credentials from your environment\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials","type":"object","properties":{"jwt":{"description":"Authenticate against AWS using service account tokens.","type":"object","properties":{"serviceAccountRef":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"secretRef":{"description":"AWSAuthSecretRef holds secret references for AWS credentials\nboth AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.","type":"object","properties":{"accessKeyIDSecretRef":{"description":"The AccessKeyID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"sessionTokenSecretRef":{"description":"The SessionToken used for authentication\nThis must be defined if AccessKeyID and SecretAccessKey are temporary credentials\nsee: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"externalID":{"description":"AWS External ID set on assumed IAM roles","type":"string"},"region":{"description":"AWS Region to be used for the provider","type":"string"},"role":{"description":"Role is a Role ARN which the provider will assume","type":"string"},"secretsManager":{"description":"SecretsManager defines how the provider behaves when interacting with AWS SecretsManager","type":"object","properties":{"forceDeleteWithoutRecovery":{"description":"Specifies whether to delete the secret without any recovery window. You\ncan't use both this parameter and RecoveryWindowInDays in the same call.\nIf you don't use either, then by default Secrets Manager uses a 30 day\nrecovery window.\nsee: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery","type":"boolean"},"recoveryWindowInDays":{"description":"The number of days from 7 to 30 that Secrets Manager waits before\npermanently deleting the secret. You can't use both this parameter and\nForceDeleteWithoutRecovery in the same call. If you don't use either,\nthen by default Secrets Manager uses a 30 day recovery window.\nsee: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays","type":"integer","format":"int64"}}},"service":{"description":"Service defines which service should be used to fetch the secrets","type":"string","enum":["SecretsManager","ParameterStore"]},"sessionTags":{"description":"AWS STS assume role session tags","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"transitiveTagKeys":{"description":"AWS STS assume role transitive session tags. Required when multiple rules are used with the provider","type":"array","items":{"type":"string"}}}},"azurekv":{"description":"AzureKV configures this store to sync secrets using Azure Key Vault provider","type":"object","required":["vaultUrl"],"properties":{"authSecretRef":{"description":"Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.","type":"object","properties":{"clientId":{"description":"The Azure clientId of the service principle used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"clientSecret":{"description":"The Azure ClientSecret of the service principle used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"authType":{"description":"Auth type defines how to authenticate to the keyvault service.\nValid values are:\n- \"ServicePrincipal\" (default): Using a service principal (tenantId, clientId, clientSecret)\n- \"ManagedIdentity\": Using Managed Identity assigned to the pod (see aad-pod-identity)","type":"string","enum":["ServicePrincipal","ManagedIdentity","WorkloadIdentity"]},"environmentType":{"description":"EnvironmentType specifies the Azure cloud environment endpoints to use for\nconnecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.\nThe following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152\nPublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud","type":"string","enum":["PublicCloud","USGovernmentCloud","ChinaCloud","GermanCloud"]},"identityId":{"description":"If multiple Managed Identity is assigned to the pod, you can select the one to be used","type":"string"},"serviceAccountRef":{"description":"ServiceAccountRef specified the service account\nthat should be used when authenticating with WorkloadIdentity.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"tenantId":{"description":"TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.","type":"string"},"vaultUrl":{"description":"Vault Url from which the secrets to be fetched from.","type":"string"}}},"chef":{"description":"Chef configures this store to sync secrets with chef server","type":"object","required":["auth","serverUrl","username"],"properties":{"auth":{"description":"Auth defines the information necessary to authenticate against chef Server","type":"object","required":["secretRef"],"properties":{"secretRef":{"description":"ChefAuthSecretRef holds secret references for chef server login credentials.","type":"object","required":["privateKeySecretRef"],"properties":{"privateKeySecretRef":{"description":"SecretKey is the Signing Key in PEM format, used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"serverUrl":{"description":"ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a \"/\"","type":"string"},"username":{"description":"UserName should be the user ID on the chef server","type":"string"}}},"conjur":{"description":"Conjur configures this store to sync secrets using conjur provider","type":"object","required":["auth","url"],"properties":{"auth":{"type":"object","properties":{"apikey":{"type":"object","required":["account","apiKeyRef","userRef"],"properties":{"account":{"type":"string"},"apiKeyRef":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"userRef":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"jwt":{"type":"object","required":["account","serviceID"],"properties":{"account":{"type":"string"},"secretRef":{"description":"Optional SecretRef that refers to a key in a Secret resource containing JWT token to\nauthenticate with Conjur using the JWT authentication method.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"serviceAccountRef":{"description":"Optional ServiceAccountRef specifies the Kubernetes service account for which to request\na token for with the `TokenRequest` API.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"serviceID":{"description":"The conjur authn jwt webservice id","type":"string"}}}}},"caBundle":{"type":"string"},"caProvider":{"description":"Used to provide custom certificate authority (CA) certificates\nfor a secret store. The CAProvider points to a Secret or ConfigMap resource\nthat contains a PEM-encoded certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key where the CA certificate can be found in the Secret or ConfigMap.","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.\nCan only be defined when used in a ClusterSecretStore.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"url":{"type":"string"}}},"delinea":{"description":"Delinea DevOps Secrets Vault\nhttps://docs.delinea.com/online-help/products/devops-secrets-vault/current","type":"object","required":["clientId","clientSecret","tenant"],"properties":{"clientId":{"description":"ClientID is the non-secret part of the credential.","type":"object","properties":{"secretRef":{"description":"SecretRef references a key in a secret that will be used as value.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"value":{"description":"Value can be specified directly to set a value without using a secret.","type":"string"}}},"clientSecret":{"description":"ClientSecret is the secret part of the credential.","type":"object","properties":{"secretRef":{"description":"SecretRef references a key in a secret that will be used as value.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"value":{"description":"Value can be specified directly to set a value without using a secret.","type":"string"}}},"tenant":{"description":"Tenant is the chosen hostname / site name.","type":"string"},"tld":{"description":"TLD is based on the server location that was chosen during provisioning.\nIf unset, defaults to \"com\".","type":"string"},"urlTemplate":{"description":"URLTemplate\nIf unset, defaults to \"https://%s.secretsvaultcloud.%s/v1/%s%s\".","type":"string"}}},"doppler":{"description":"Doppler configures this store to sync secrets using the Doppler provider","type":"object","required":["auth"],"properties":{"auth":{"description":"Auth configures how the Operator authenticates with the Doppler API","type":"object","required":["secretRef"],"properties":{"secretRef":{"type":"object","required":["dopplerToken"],"properties":{"dopplerToken":{"description":"The DopplerToken is used for authentication.\nSee https://docs.doppler.com/reference/api#authentication for auth token types.\nThe Key attribute defaults to dopplerToken if not specified.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"config":{"description":"Doppler config (required if not using a Service Token)","type":"string"},"format":{"description":"Format enables the downloading of secrets as a file (string)","type":"string","enum":["json","dotnet-json","env","yaml","docker"]},"nameTransformer":{"description":"Environment variable compatible name transforms that change secret names to a different format","type":"string","enum":["upper-camel","camel","lower-snake","tf-var","dotnet-env","lower-kebab"]},"project":{"description":"Doppler project (required if not using a Service Token)","type":"string"}}},"fake":{"description":"Fake configures a store with static key/value pairs","type":"object","required":["data"],"properties":{"data":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"value":{"type":"string"},"valueMap":{"description":"Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.","type":"object","additionalProperties":{"type":"string"}},"version":{"type":"string"}}}}}},"gcpsm":{"description":"GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider","type":"object","properties":{"auth":{"description":"Auth defines the information necessary to authenticate against GCP","type":"object","properties":{"secretRef":{"type":"object","properties":{"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"workloadIdentity":{"type":"object","required":["clusterLocation","clusterName","serviceAccountRef"],"properties":{"clusterLocation":{"type":"string"},"clusterName":{"type":"string"},"clusterProjectID":{"type":"string"},"serviceAccountRef":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"projectID":{"description":"ProjectID project where secret is located","type":"string"}}},"gitlab":{"description":"GitLab configures this store to sync secrets using GitLab Variables provider","type":"object","required":["auth"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with a GitLab instance.","type":"object","required":["SecretRef"],"properties":{"SecretRef":{"type":"object","properties":{"accessToken":{"description":"AccessToken is used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"environment":{"description":"Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)","type":"string"},"groupIDs":{"description":"GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.","type":"array","items":{"type":"string"}},"inheritFromGroups":{"description":"InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.","type":"boolean"},"projectID":{"description":"ProjectID specifies a project where secrets are located.","type":"string"},"url":{"description":"URL configures the GitLab instance URL. Defaults to https://gitlab.com/.","type":"string"}}},"ibm":{"description":"IBM configures this store to sync secrets using IBM Cloud provider","type":"object","required":["auth"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with the IBM secrets manager.","type":"object","maxProperties":1,"minProperties":1,"properties":{"containerAuth":{"description":"IBM Container-based auth with IAM Trusted Profile.","type":"object","required":["profile"],"properties":{"iamEndpoint":{"type":"string"},"profile":{"description":"the IBM Trusted Profile","type":"string"},"tokenLocation":{"description":"Location the token is mounted on the pod","type":"string"}}},"secretRef":{"type":"object","properties":{"secretApiKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"serviceUrl":{"description":"ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance","type":"string"}}},"keepersecurity":{"description":"KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider","type":"object","required":["authRef","folderID"],"properties":{"authRef":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"folderID":{"type":"string"}}},"kubernetes":{"description":"Kubernetes configures this store to sync secrets using a Kubernetes cluster provider","type":"object","required":["auth"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with a Kubernetes instance.","type":"object","maxProperties":1,"minProperties":1,"properties":{"cert":{"description":"has both clientCert and clientKey as secretKeySelector","type":"object","properties":{"clientCert":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"clientKey":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"serviceAccount":{"description":"points to a service account that should be used for authentication","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"token":{"description":"use static token to authenticate with","type":"object","properties":{"bearerToken":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"remoteNamespace":{"description":"Remote namespace to fetch the secrets from","type":"string"},"server":{"description":"configures the Kubernetes server Address.","type":"object","properties":{"caBundle":{"description":"CABundle is a base64-encoded CA certificate","type":"string","format":"byte"},"caProvider":{"description":"see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider","type":"object","required":["name","type"],"properties":{"key":{"description":"The key where the CA certificate can be found in the Secret or ConfigMap.","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.\nCan only be defined when used in a ClusterSecretStore.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"url":{"description":"configures the Kubernetes server Address.","type":"string"}}}}},"onepassword":{"description":"OnePassword configures this store to sync secrets using the 1Password Cloud provider","type":"object","required":["auth","connectHost","vaults"],"properties":{"auth":{"description":"Auth defines the information necessary to authenticate against OnePassword Connect Server","type":"object","required":["secretRef"],"properties":{"secretRef":{"description":"OnePasswordAuthSecretRef holds secret references for 1Password credentials.","type":"object","required":["connectTokenSecretRef"],"properties":{"connectTokenSecretRef":{"description":"The ConnectToken is used for authentication to a 1Password Connect Server.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"connectHost":{"description":"ConnectHost defines the OnePassword Connect Server to connect to","type":"string"},"vaults":{"description":"Vaults defines which OnePassword vaults to search in which order","type":"object","additionalProperties":{"type":"integer"}}}},"oracle":{"description":"Oracle configures this store to sync secrets using Oracle Vault provider","type":"object","required":["region","vault"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with the Oracle Vault.\nIf empty, use the instance principal, otherwise the user credentials specified in Auth.","type":"object","required":["secretRef","tenancy","user"],"properties":{"secretRef":{"description":"SecretRef to pass through sensitive information.","type":"object","required":["fingerprint","privatekey"],"properties":{"fingerprint":{"description":"Fingerprint is the fingerprint of the API private key.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"privatekey":{"description":"PrivateKey is the user's API Signing Key in PEM format, used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"tenancy":{"description":"Tenancy is the tenancy OCID where user is located.","type":"string"},"user":{"description":"User is an access OCID specific to the account.","type":"string"}}},"compartment":{"description":"Compartment is the vault compartment OCID.\nRequired for PushSecret","type":"string"},"encryptionKey":{"description":"EncryptionKey is the OCID of the encryption key within the vault.\nRequired for PushSecret","type":"string"},"principalType":{"description":"The type of principal to use for authentication. If left blank, the Auth struct will\ndetermine the principal type. This optional field must be specified if using\nworkload identity.","type":"string","enum":["","UserPrincipal","InstancePrincipal","Workload"]},"region":{"description":"Region is the region where vault is located.","type":"string"},"serviceAccountRef":{"description":"ServiceAccountRef specified the service account\nthat should be used when authenticating with WorkloadIdentity.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"vault":{"description":"Vault is the vault's OCID of the specific vault where secret is located.","type":"string"}}},"pulumi":{"description":"Pulumi configures this store to sync secrets using the Pulumi provider","type":"object","required":["accessToken","environment","organization"],"properties":{"accessToken":{"description":"AccessToken is the access tokens to sign in to the Pulumi Cloud Console.","type":"object","properties":{"secretRef":{"description":"SecretRef is a reference to a secret containing the Pulumi API token.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"apiUrl":{"description":"APIURL is the URL of the Pulumi API.","type":"string"},"environment":{"description":"Environment are YAML documents composed of static key-value pairs, programmatic expressions,\ndynamically retrieved values from supported providers including all major clouds,\nand other Pulumi ESC environments.\nTo create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.","type":"string"},"organization":{"description":"Organization are a space to collaborate on shared projects and stacks.\nTo create a new organization, visit https://app.pulumi.com/ and click \"New Organization\".","type":"string"}}},"scaleway":{"description":"Scaleway","type":"object","required":["accessKey","projectId","region","secretKey"],"properties":{"accessKey":{"description":"AccessKey is the non-secret part of the api key.","type":"object","properties":{"secretRef":{"description":"SecretRef references a key in a secret that will be used as value.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"value":{"description":"Value can be specified directly to set a value without using a secret.","type":"string"}}},"apiUrl":{"description":"APIURL is the url of the api to use. Defaults to https://api.scaleway.com","type":"string"},"projectId":{"description":"ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings","type":"string"},"region":{"description":"Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone","type":"string"},"secretKey":{"description":"SecretKey is the non-secret part of the api key.","type":"object","properties":{"secretRef":{"description":"SecretRef references a key in a secret that will be used as value.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"value":{"description":"Value can be specified directly to set a value without using a secret.","type":"string"}}}}},"senhasegura":{"description":"Senhasegura configures this store to sync secrets using senhasegura provider","type":"object","required":["auth","module","url"],"properties":{"auth":{"description":"Auth defines parameters to authenticate in senhasegura","type":"object","required":["clientId","clientSecretSecretRef"],"properties":{"clientId":{"type":"string"},"clientSecretSecretRef":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"ignoreSslCertificate":{"description":"IgnoreSslCertificate defines if SSL certificate must be ignored","type":"boolean"},"module":{"description":"Module defines which senhasegura module should be used to get secrets","type":"string"},"url":{"description":"URL of senhasegura","type":"string"}}},"vault":{"description":"Vault configures this store to sync secrets using Hashi provider","type":"object","required":["auth","server"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with the Vault server.","type":"object","properties":{"appRole":{"description":"AppRole authenticates with Vault using the App Role auth mechanism,\nwith the role and secret stored in a Kubernetes Secret resource.","type":"object","required":["path","secretRef"],"properties":{"path":{"description":"Path where the App Role authentication backend is mounted\nin Vault, e.g: \"approle\"","type":"string"},"roleId":{"description":"RoleID configured in the App Role authentication backend when setting\nup the authentication backend in Vault.","type":"string"},"roleRef":{"description":"Reference to a key in a Secret that contains the App Role ID used\nto authenticate with Vault.\nThe `key` field must be specified and denotes which entry within the Secret\nresource is used as the app role id.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretRef":{"description":"Reference to a key in a Secret that contains the App Role secret used\nto authenticate with Vault.\nThe `key` field must be specified and denotes which entry within the Secret\nresource is used as the app role secret.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"cert":{"description":"Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate\nCert authentication method","type":"object","properties":{"clientCert":{"description":"ClientCert is a certificate to authenticate using the Cert Vault\nauthentication method","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretRef":{"description":"SecretRef to a key in a Secret resource containing client private key to\nauthenticate with Vault using the Cert authentication method","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"iam":{"description":"Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials\nAWS IAM authentication method","type":"object","required":["vaultRole"],"properties":{"externalID":{"description":"AWS External ID set on assumed IAM roles","type":"string"},"jwt":{"description":"Specify a service account with IRSA enabled","type":"object","properties":{"serviceAccountRef":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"path":{"description":"Path where the AWS auth method is enabled in Vault, e.g: \"aws\"","type":"string"},"region":{"description":"AWS region","type":"string"},"role":{"description":"This is the AWS role to be assumed before talking to vault","type":"string"},"secretRef":{"description":"Specify credentials in a Secret object","type":"object","properties":{"accessKeyIDSecretRef":{"description":"The AccessKeyID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"sessionTokenSecretRef":{"description":"The SessionToken used for authentication\nThis must be defined if AccessKeyID and SecretAccessKey are temporary credentials\nsee: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"vaultAwsIamServerID":{"description":"X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws","type":"string"},"vaultRole":{"description":"Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine","type":"string"}}},"jwt":{"description":"Jwt authenticates with Vault by passing role and JWT token using the\nJWT/OIDC authentication method","type":"object","required":["path"],"properties":{"kubernetesServiceAccountToken":{"description":"Optional ServiceAccountToken specifies the Kubernetes service account for which to request\na token for with the `TokenRequest` API.","type":"object","required":["serviceAccountRef"],"properties":{"audiences":{"description":"Optional audiences field that will be used to request a temporary Kubernetes service\naccount token for the service account referenced by `serviceAccountRef`.\nDefaults to a single audience `vault` it not specified.\nDeprecated: use serviceAccountRef.Audiences instead","type":"array","items":{"type":"string"}},"expirationSeconds":{"description":"Optional expiration time in seconds that will be used to request a temporary\nKubernetes service account token for the service account referenced by\n`serviceAccountRef`.\nDeprecated: this will be removed in the future.\nDefaults to 10 minutes.","type":"integer","format":"int64"},"serviceAccountRef":{"description":"Service account field containing the name of a kubernetes ServiceAccount.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"path":{"description":"Path where the JWT authentication backend is mounted\nin Vault, e.g: \"jwt\"","type":"string"},"role":{"description":"Role is a JWT role to authenticate using the JWT/OIDC Vault\nauthentication method","type":"string"},"secretRef":{"description":"Optional SecretRef that refers to a key in a Secret resource containing JWT token to\nauthenticate with Vault using the JWT/OIDC authentication method.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"kubernetes":{"description":"Kubernetes authenticates with Vault by passing the ServiceAccount\ntoken stored in the named Secret resource to the Vault server.","type":"object","required":["mountPath","role"],"properties":{"mountPath":{"description":"Path where the Kubernetes authentication backend is mounted in Vault, e.g:\n\"kubernetes\"","type":"string"},"role":{"description":"A required field containing the Vault Role to assume. A Role binds a\nKubernetes ServiceAccount with a set of Vault policies.","type":"string"},"secretRef":{"description":"Optional secret field containing a Kubernetes ServiceAccount JWT used\nfor authenticating with Vault. If a name is specified without a key,\n`token` is the default. If one is not specified, the one bound to\nthe controller will be used.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"serviceAccountRef":{"description":"Optional service account field containing the name of a kubernetes ServiceAccount.\nIf the service account is specified, the service account secret token JWT will be used\nfor authenticating with Vault. If the service account selector is not supplied,\nthe secretRef will be used instead.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"ldap":{"description":"Ldap authenticates with Vault by passing username/password pair using\nthe LDAP authentication method","type":"object","required":["path","username"],"properties":{"path":{"description":"Path where the LDAP authentication backend is mounted\nin Vault, e.g: \"ldap\"","type":"string"},"secretRef":{"description":"SecretRef to a key in a Secret resource containing password for the LDAP\nuser used to authenticate with Vault using the LDAP authentication\nmethod","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"username":{"description":"Username is a LDAP user name used to authenticate using the LDAP Vault\nauthentication method","type":"string"}}},"tokenSecretRef":{"description":"TokenSecretRef authenticates with Vault by presenting a token.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"userPass":{"description":"UserPass authenticates with Vault by passing username/password pair","type":"object","required":["path","username"],"properties":{"path":{"description":"Path where the UserPassword authentication backend is mounted\nin Vault, e.g: \"user\"","type":"string"},"secretRef":{"description":"SecretRef to a key in a Secret resource containing password for the\nuser used to authenticate with Vault using the UserPass authentication\nmethod","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"username":{"description":"Username is a user name used to authenticate using the UserPass Vault\nauthentication method","type":"string"}}}}},"caBundle":{"description":"PEM encoded CA bundle used to validate Vault server certificate. Only used\nif the Server URL is using HTTPS protocol. This parameter is ignored for\nplain HTTP protocol connection. If not set the system root certificates\nare used to validate the TLS connection.","type":"string","format":"byte"},"caProvider":{"description":"The provider for the CA bundle to use to validate Vault server certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key where the CA certificate can be found in the Secret or ConfigMap.","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.\nCan only be defined when used in a ClusterSecretStore.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"forwardInconsistent":{"description":"ForwardInconsistent tells Vault to forward read-after-write requests to the Vault\nleader instead of simply retrying within a loop. This can increase performance if\nthe option is enabled serverside.\nhttps://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header","type":"boolean"},"namespace":{"description":"Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows\nVault environments to support Secure Multi-tenancy. e.g: \"ns1\".\nMore about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces","type":"string"},"path":{"description":"Path is the mount path of the Vault KV backend endpoint, e.g:\n\"secret\". The v2 KV secret engine version specific \"/data\" path suffix\nfor fetching secrets from Vault is optional and will be appended\nif not present in specified path.","type":"string"},"readYourWrites":{"description":"ReadYourWrites ensures isolated read-after-write semantics by\nproviding discovered cluster replication states in each request.\nMore information about eventual consistency in Vault can be found here\nhttps://www.vaultproject.io/docs/enterprise/consistency","type":"boolean"},"server":{"description":"Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\".","type":"string"},"tls":{"description":"The configuration used for client side related TLS communication, when the Vault server\nrequires mutual authentication. Only used if the Server URL is using HTTPS protocol.\nThis parameter is ignored for plain HTTP protocol connection.\nIt's worth noting this configuration is different from the \"TLS certificates auth method\",\nwhich is available under the `auth.cert` section.","type":"object","properties":{"certSecretRef":{"description":"CertSecretRef is a certificate added to the transport layer\nwhen communicating with the Vault server.\nIf no key for the Secret is specified, external-secret will default to 'tls.crt'.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"keySecretRef":{"description":"KeySecretRef to a key in a Secret resource containing client private key\nadded to the transport layer when communicating with the Vault server.\nIf no key for the Secret is specified, external-secret will default to 'tls.key'.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"version":{"description":"Version is the Vault KV secret engine version. This can be either \"v1\" or\n\"v2\". Version defaults to \"v2\".","type":"string","enum":["v1","v2"]}}},"webhook":{"description":"Webhook configures this store to sync secrets using a generic templated webhook","type":"object","required":["result","url"],"properties":{"body":{"description":"Body","type":"string"},"caBundle":{"description":"PEM encoded CA bundle used to validate webhook server certificate. Only used\nif the Server URL is using HTTPS protocol. This parameter is ignored for\nplain HTTP protocol connection. If not set the system root certificates\nare used to validate the TLS connection.","type":"string","format":"byte"},"caProvider":{"description":"The provider for the CA bundle to use to validate webhook server certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key the value inside of the provider type to use, only used with \"Secret\" type","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"headers":{"description":"Headers","type":"object","additionalProperties":{"type":"string"}},"method":{"description":"Webhook Method","type":"string"},"result":{"description":"Result formatting","type":"object","properties":{"jsonPath":{"description":"Json path of return value","type":"string"}}},"secrets":{"description":"Secrets to fill in templates\nThese secrets will be passed to the templating function as key value pairs under the given name","type":"array","items":{"type":"object","required":["name","secretRef"],"properties":{"name":{"description":"Name of this secret in templates","type":"string"},"secretRef":{"description":"Secret ref to fill in credentials","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}},"timeout":{"description":"Timeout","type":"string"},"url":{"description":"Webhook url to call","type":"string"}}},"yandexcertificatemanager":{"description":"YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider","type":"object","required":["auth"],"properties":{"apiEndpoint":{"description":"Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')","type":"string"},"auth":{"description":"Auth defines the information necessary to authenticate against Yandex Certificate Manager","type":"object","properties":{"authorizedKeySecretRef":{"description":"The authorized key used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"caProvider":{"description":"The provider for the CA bundle to use to validate Yandex.Cloud server certificate.","type":"object","properties":{"certSecretRef":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"yandexlockbox":{"description":"YandexLockbox configures this store to sync secrets using Yandex Lockbox provider","type":"object","required":["auth"],"properties":{"apiEndpoint":{"description":"Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')","type":"string"},"auth":{"description":"Auth defines the information necessary to authenticate against Yandex Lockbox","type":"object","properties":{"authorizedKeySecretRef":{"description":"The authorized key used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"caProvider":{"description":"The provider for the CA bundle to use to validate Yandex.Cloud server certificate.","type":"object","properties":{"certSecretRef":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}}}},"refreshInterval":{"description":"Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.","type":"integer"},"retrySettings":{"description":"Used to configure http retries if failed","type":"object","properties":{"maxRetries":{"type":"integer","format":"int32"},"retryInterval":{"type":"string"}}}}},"status":{"description":"SecretStoreStatus defines the observed state of the SecretStore.","type":"object","properties":{"capabilities":{"description":"SecretStoreCapabilities defines the possible operations a SecretStore can do.","type":"string"},"conditions":{"type":"array","items":{"type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"type":"string","format":"date-time"},"message":{"type":"string"},"reason":{"type":"string"},"status":{"type":"string"},"type":{"type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"ClusterSecretStore","version":"v1beta1"}],"title":"io.external-secrets.v1beta1.ClusterSecretStore"},"io.external-secrets.v1beta1.ClusterSecretStoreList":{"description":"ClusterSecretStoreList is a list of ClusterSecretStore","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clustersecretstores. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.v1beta1.ClusterSecretStore"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"ClusterSecretStoreList","version":"v1beta1"}],"title":"io.external-secrets.v1beta1.ClusterSecretStoreList"},"io.external-secrets.v1beta1.ExternalSecret":{"description":"ExternalSecret is the Schema for the external-secrets API.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ExternalSecretSpec defines the desired state of ExternalSecret.","type":"object","properties":{"data":{"description":"Data defines the connection between the Kubernetes Secret keys and the Provider data","type":"array","items":{"description":"ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.","type":"object","required":["remoteRef","secretKey"],"properties":{"remoteRef":{"description":"RemoteRef points to the remote secret and defines\nwhich secret (version/property/..) to fetch.","type":"object","required":["key"],"properties":{"conversionStrategy":{"description":"Used to define a conversion Strategy","type":"string","enum":["Default","Unicode"]},"decodingStrategy":{"description":"Used to define a decoding Strategy","type":"string","enum":["Auto","Base64","Base64URL","None"]},"key":{"description":"Key is the key used in the Provider, mandatory","type":"string"},"metadataPolicy":{"description":"Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None","type":"string","enum":["None","Fetch"]},"property":{"description":"Used to select a specific property of the Provider value (if a map), if supported","type":"string"},"version":{"description":"Used to select a specific version of the Provider value, if supported","type":"string"}}},"secretKey":{"description":"SecretKey defines the key in which the controller stores\nthe value. This is the key in the Kind=Secret","type":"string"},"sourceRef":{"description":"SourceRef allows you to override the source\nfrom which the value will pulled from.","type":"object","maxProperties":1,"properties":{"generatorRef":{"description":"GeneratorRef points to a generator custom resource.\n\n\nDeprecated: The generatorRef is not implemented in .data[].\nthis will be removed with v1.","type":"object","required":["kind","name"],"properties":{"apiVersion":{"description":"Specify the apiVersion of the generator resource","type":"string"},"kind":{"description":"Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.","type":"string"},"name":{"description":"Specify the name of the generator resource","type":"string"}}},"storeRef":{"description":"SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.","type":"object","required":["name"],"properties":{"kind":{"description":"Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`","type":"string"},"name":{"description":"Name of the SecretStore resource","type":"string"}}}}}}}},"dataFrom":{"description":"DataFrom is used to fetch all properties from a specific Provider data\nIf multiple entries are specified, the Secret keys are merged in the specified order","type":"array","items":{"type":"object","properties":{"extract":{"description":"Used to extract multiple key/value pairs from one secret\nNote: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.","type":"object","required":["key"],"properties":{"conversionStrategy":{"description":"Used to define a conversion Strategy","type":"string","enum":["Default","Unicode"]},"decodingStrategy":{"description":"Used to define a decoding Strategy","type":"string","enum":["Auto","Base64","Base64URL","None"]},"key":{"description":"Key is the key used in the Provider, mandatory","type":"string"},"metadataPolicy":{"description":"Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None","type":"string","enum":["None","Fetch"]},"property":{"description":"Used to select a specific property of the Provider value (if a map), if supported","type":"string"},"version":{"description":"Used to select a specific version of the Provider value, if supported","type":"string"}}},"find":{"description":"Used to find secrets based on tags or regular expressions\nNote: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.","type":"object","properties":{"conversionStrategy":{"description":"Used to define a conversion Strategy","type":"string","enum":["Default","Unicode"]},"decodingStrategy":{"description":"Used to define a decoding Strategy","type":"string","enum":["Auto","Base64","Base64URL","None"]},"name":{"description":"Finds secrets based on the name.","type":"object","properties":{"regexp":{"description":"Finds secrets base","type":"string"}}},"path":{"description":"A root path to start the find operations.","type":"string"},"tags":{"description":"Find secrets based on tags.","type":"object","additionalProperties":{"type":"string"}}}},"rewrite":{"description":"Used to rewrite secret Keys after getting them from the secret Provider\nMultiple Rewrite operations can be provided. They are applied in a layered order (first to last)","type":"array","items":{"type":"object","properties":{"regexp":{"description":"Used to rewrite with regular expressions.\nThe resulting key will be the output of a regexp.ReplaceAll operation.","type":"object","required":["source","target"],"properties":{"source":{"description":"Used to define the regular expression of a re.Compiler.","type":"string"},"target":{"description":"Used to define the target pattern of a ReplaceAll operation.","type":"string"}}},"transform":{"description":"Used to apply string transformation on the secrets.\nThe resulting key will be the output of the template applied by the operation.","type":"object","required":["template"],"properties":{"template":{"description":"Used to define the template to apply on the secret name.\n`.value ` will specify the secret name in the template.","type":"string"}}}}}},"sourceRef":{"description":"SourceRef points to a store or generator\nwhich contains secret values ready to use.\nUse this in combination with Extract or Find pull values out of\na specific SecretStore.\nWhen sourceRef points to a generator Extract or Find is not supported.\nThe generator returns a static map of values","type":"object","maxProperties":1,"properties":{"generatorRef":{"description":"GeneratorRef points to a generator custom resource.","type":"object","required":["kind","name"],"properties":{"apiVersion":{"description":"Specify the apiVersion of the generator resource","type":"string"},"kind":{"description":"Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.","type":"string"},"name":{"description":"Specify the name of the generator resource","type":"string"}}},"storeRef":{"description":"SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.","type":"object","required":["name"],"properties":{"kind":{"description":"Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`","type":"string"},"name":{"description":"Name of the SecretStore resource","type":"string"}}}}}}}},"refreshInterval":{"description":"RefreshInterval is the amount of time before the values are read again from the SecretStore provider\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\"\nMay be set to zero to fetch and create it once. Defaults to 1h.","type":"string"},"secretStoreRef":{"description":"SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.","type":"object","required":["name"],"properties":{"kind":{"description":"Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`","type":"string"},"name":{"description":"Name of the SecretStore resource","type":"string"}}},"target":{"description":"ExternalSecretTarget defines the Kubernetes Secret to be created\nThere can be only one target per ExternalSecret.","type":"object","properties":{"creationPolicy":{"description":"CreationPolicy defines rules on how to create the resulting Secret\nDefaults to 'Owner'","type":"string","enum":["Owner","Orphan","Merge","None"]},"deletionPolicy":{"description":"DeletionPolicy defines rules on how to delete the resulting Secret\nDefaults to 'Retain'","type":"string","enum":["Delete","Merge","Retain"]},"immutable":{"description":"Immutable defines if the final secret will be immutable","type":"boolean"},"name":{"description":"Name defines the name of the Secret resource to be managed\nThis field is immutable\nDefaults to the .metadata.name of the ExternalSecret resource","type":"string"},"template":{"description":"Template defines a blueprint for the created Secret resource.","type":"object","properties":{"data":{"type":"object","additionalProperties":{"type":"string"}},"engineVersion":{"description":"EngineVersion specifies the template engine version\nthat should be used to compile/execute the\ntemplate specified in .data and .templateFrom[].","type":"string","enum":["v1","v2"]},"mergePolicy":{"type":"string","enum":["Replace","Merge"]},"metadata":{"description":"ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.","type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}}}},"templateFrom":{"type":"array","items":{"type":"object","properties":{"configMap":{"type":"object","required":["items","name"],"properties":{"items":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"templateAs":{"type":"string","enum":["Values","KeysAndValues"]}}}},"name":{"type":"string"}}},"literal":{"type":"string"},"secret":{"type":"object","required":["items","name"],"properties":{"items":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"templateAs":{"type":"string","enum":["Values","KeysAndValues"]}}}},"name":{"type":"string"}}},"target":{"type":"string","enum":["Data","Annotations","Labels"]}}}},"type":{"type":"string"}}}}}}},"status":{"type":"object","properties":{"binding":{"description":"Binding represents a servicebinding.io Provisioned Service reference to the secret","type":"object","properties":{"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?","type":"string"}},"x-kubernetes-map-type":"atomic"},"conditions":{"type":"array","items":{"type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"type":"string","format":"date-time"},"message":{"type":"string"},"reason":{"type":"string"},"status":{"type":"string"},"type":{"type":"string"}}}},"refreshTime":{"description":"refreshTime is the time and date the external secret was fetched and\nthe target secret updated","format":"date-time"},"syncedResourceVersion":{"description":"SyncedResourceVersion keeps track of the last synced version","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"ExternalSecret","version":"v1beta1"}],"title":"io.external-secrets.v1beta1.ExternalSecret"},"io.external-secrets.v1beta1.ExternalSecretList":{"description":"ExternalSecretList is a list of ExternalSecret","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of externalsecrets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.v1beta1.ExternalSecret"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"ExternalSecretList","version":"v1beta1"}],"title":"io.external-secrets.v1beta1.ExternalSecretList"},"io.external-secrets.v1beta1.SecretStore":{"description":"SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"SecretStoreSpec defines the desired state of SecretStore.","type":"object","required":["provider"],"properties":{"conditions":{"description":"Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore","type":"array","items":{"description":"ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in\nfor a ClusterSecretStore instance.","type":"object","properties":{"namespaceSelector":{"description":"Choose namespace using a labelSelector","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Choose namespaces by name","type":"array","items":{"type":"string"}}}}},"controller":{"description":"Used to select the correct ESO controller (think: ingress.ingressClassName)\nThe ESO controller is instantiated with a specific controller name and filters ES based on this property","type":"string"},"provider":{"description":"Used to configure the provider. Only one provider may be set","type":"object","maxProperties":1,"minProperties":1,"properties":{"akeyless":{"description":"Akeyless configures this store to sync secrets using Akeyless Vault provider","type":"object","required":["akeylessGWApiURL","authSecretRef"],"properties":{"akeylessGWApiURL":{"description":"Akeyless GW API Url from which the secrets to be fetched from.","type":"string"},"authSecretRef":{"description":"Auth configures how the operator authenticates with Akeyless.","type":"object","properties":{"kubernetesAuth":{"description":"Kubernetes authenticates with Akeyless by passing the ServiceAccount\ntoken stored in the named Secret resource.","type":"object","required":["accessID","k8sConfName"],"properties":{"accessID":{"description":"the Akeyless Kubernetes auth-method access-id","type":"string"},"k8sConfName":{"description":"Kubernetes-auth configuration name in Akeyless-Gateway","type":"string"},"secretRef":{"description":"Optional secret field containing a Kubernetes ServiceAccount JWT used\nfor authenticating with Akeyless. If a name is specified without a key,\n`token` is the default. If one is not specified, the one bound to\nthe controller will be used.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"serviceAccountRef":{"description":"Optional service account field containing the name of a kubernetes ServiceAccount.\nIf the service account is specified, the service account secret token JWT will be used\nfor authenticating with Akeyless. If the service account selector is not supplied,\nthe secretRef will be used instead.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"secretRef":{"description":"Reference to a Secret that contains the details\nto authenticate with Akeyless.","type":"object","properties":{"accessID":{"description":"The SecretAccessID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"accessType":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"accessTypeParam":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"caBundle":{"description":"PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used\nif the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates\nare used to validate the TLS connection.","type":"string","format":"byte"},"caProvider":{"description":"The provider for the CA bundle to use to validate Akeyless Gateway certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key where the CA certificate can be found in the Secret or ConfigMap.","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.\nCan only be defined when used in a ClusterSecretStore.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}}}},"alibaba":{"description":"Alibaba configures this store to sync secrets using Alibaba Cloud provider","type":"object","required":["auth","regionID"],"properties":{"auth":{"description":"AlibabaAuth contains a secretRef for credentials.","type":"object","properties":{"rrsa":{"description":"Authenticate against Alibaba using RRSA.","type":"object","required":["oidcProviderArn","oidcTokenFilePath","roleArn","sessionName"],"properties":{"oidcProviderArn":{"type":"string"},"oidcTokenFilePath":{"type":"string"},"roleArn":{"type":"string"},"sessionName":{"type":"string"}}},"secretRef":{"description":"AlibabaAuthSecretRef holds secret references for Alibaba credentials.","type":"object","required":["accessKeyIDSecretRef","accessKeySecretSecretRef"],"properties":{"accessKeyIDSecretRef":{"description":"The AccessKeyID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"accessKeySecretSecretRef":{"description":"The AccessKeySecret is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"regionID":{"description":"Alibaba Region to be used for the provider","type":"string"}}},"aws":{"description":"AWS configures this store to sync secrets using AWS Secret Manager provider","type":"object","required":["region","service"],"properties":{"additionalRoles":{"description":"AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role","type":"array","items":{"type":"string"}},"auth":{"description":"Auth defines the information necessary to authenticate against AWS\nif not set aws sdk will infer credentials from your environment\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials","type":"object","properties":{"jwt":{"description":"Authenticate against AWS using service account tokens.","type":"object","properties":{"serviceAccountRef":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"secretRef":{"description":"AWSAuthSecretRef holds secret references for AWS credentials\nboth AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.","type":"object","properties":{"accessKeyIDSecretRef":{"description":"The AccessKeyID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"sessionTokenSecretRef":{"description":"The SessionToken used for authentication\nThis must be defined if AccessKeyID and SecretAccessKey are temporary credentials\nsee: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"externalID":{"description":"AWS External ID set on assumed IAM roles","type":"string"},"region":{"description":"AWS Region to be used for the provider","type":"string"},"role":{"description":"Role is a Role ARN which the provider will assume","type":"string"},"secretsManager":{"description":"SecretsManager defines how the provider behaves when interacting with AWS SecretsManager","type":"object","properties":{"forceDeleteWithoutRecovery":{"description":"Specifies whether to delete the secret without any recovery window. You\ncan't use both this parameter and RecoveryWindowInDays in the same call.\nIf you don't use either, then by default Secrets Manager uses a 30 day\nrecovery window.\nsee: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery","type":"boolean"},"recoveryWindowInDays":{"description":"The number of days from 7 to 30 that Secrets Manager waits before\npermanently deleting the secret. You can't use both this parameter and\nForceDeleteWithoutRecovery in the same call. If you don't use either,\nthen by default Secrets Manager uses a 30 day recovery window.\nsee: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays","type":"integer","format":"int64"}}},"service":{"description":"Service defines which service should be used to fetch the secrets","type":"string","enum":["SecretsManager","ParameterStore"]},"sessionTags":{"description":"AWS STS assume role session tags","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"type":"string"},"value":{"type":"string"}}}},"transitiveTagKeys":{"description":"AWS STS assume role transitive session tags. Required when multiple rules are used with the provider","type":"array","items":{"type":"string"}}}},"azurekv":{"description":"AzureKV configures this store to sync secrets using Azure Key Vault provider","type":"object","required":["vaultUrl"],"properties":{"authSecretRef":{"description":"Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.","type":"object","properties":{"clientId":{"description":"The Azure clientId of the service principle used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"clientSecret":{"description":"The Azure ClientSecret of the service principle used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"authType":{"description":"Auth type defines how to authenticate to the keyvault service.\nValid values are:\n- \"ServicePrincipal\" (default): Using a service principal (tenantId, clientId, clientSecret)\n- \"ManagedIdentity\": Using Managed Identity assigned to the pod (see aad-pod-identity)","type":"string","enum":["ServicePrincipal","ManagedIdentity","WorkloadIdentity"]},"environmentType":{"description":"EnvironmentType specifies the Azure cloud environment endpoints to use for\nconnecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.\nThe following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152\nPublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud","type":"string","enum":["PublicCloud","USGovernmentCloud","ChinaCloud","GermanCloud"]},"identityId":{"description":"If multiple Managed Identity is assigned to the pod, you can select the one to be used","type":"string"},"serviceAccountRef":{"description":"ServiceAccountRef specified the service account\nthat should be used when authenticating with WorkloadIdentity.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"tenantId":{"description":"TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.","type":"string"},"vaultUrl":{"description":"Vault Url from which the secrets to be fetched from.","type":"string"}}},"chef":{"description":"Chef configures this store to sync secrets with chef server","type":"object","required":["auth","serverUrl","username"],"properties":{"auth":{"description":"Auth defines the information necessary to authenticate against chef Server","type":"object","required":["secretRef"],"properties":{"secretRef":{"description":"ChefAuthSecretRef holds secret references for chef server login credentials.","type":"object","required":["privateKeySecretRef"],"properties":{"privateKeySecretRef":{"description":"SecretKey is the Signing Key in PEM format, used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"serverUrl":{"description":"ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a \"/\"","type":"string"},"username":{"description":"UserName should be the user ID on the chef server","type":"string"}}},"conjur":{"description":"Conjur configures this store to sync secrets using conjur provider","type":"object","required":["auth","url"],"properties":{"auth":{"type":"object","properties":{"apikey":{"type":"object","required":["account","apiKeyRef","userRef"],"properties":{"account":{"type":"string"},"apiKeyRef":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"userRef":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"jwt":{"type":"object","required":["account","serviceID"],"properties":{"account":{"type":"string"},"secretRef":{"description":"Optional SecretRef that refers to a key in a Secret resource containing JWT token to\nauthenticate with Conjur using the JWT authentication method.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"serviceAccountRef":{"description":"Optional ServiceAccountRef specifies the Kubernetes service account for which to request\na token for with the `TokenRequest` API.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"serviceID":{"description":"The conjur authn jwt webservice id","type":"string"}}}}},"caBundle":{"type":"string"},"caProvider":{"description":"Used to provide custom certificate authority (CA) certificates\nfor a secret store. The CAProvider points to a Secret or ConfigMap resource\nthat contains a PEM-encoded certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key where the CA certificate can be found in the Secret or ConfigMap.","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.\nCan only be defined when used in a ClusterSecretStore.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"url":{"type":"string"}}},"delinea":{"description":"Delinea DevOps Secrets Vault\nhttps://docs.delinea.com/online-help/products/devops-secrets-vault/current","type":"object","required":["clientId","clientSecret","tenant"],"properties":{"clientId":{"description":"ClientID is the non-secret part of the credential.","type":"object","properties":{"secretRef":{"description":"SecretRef references a key in a secret that will be used as value.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"value":{"description":"Value can be specified directly to set a value without using a secret.","type":"string"}}},"clientSecret":{"description":"ClientSecret is the secret part of the credential.","type":"object","properties":{"secretRef":{"description":"SecretRef references a key in a secret that will be used as value.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"value":{"description":"Value can be specified directly to set a value without using a secret.","type":"string"}}},"tenant":{"description":"Tenant is the chosen hostname / site name.","type":"string"},"tld":{"description":"TLD is based on the server location that was chosen during provisioning.\nIf unset, defaults to \"com\".","type":"string"},"urlTemplate":{"description":"URLTemplate\nIf unset, defaults to \"https://%s.secretsvaultcloud.%s/v1/%s%s\".","type":"string"}}},"doppler":{"description":"Doppler configures this store to sync secrets using the Doppler provider","type":"object","required":["auth"],"properties":{"auth":{"description":"Auth configures how the Operator authenticates with the Doppler API","type":"object","required":["secretRef"],"properties":{"secretRef":{"type":"object","required":["dopplerToken"],"properties":{"dopplerToken":{"description":"The DopplerToken is used for authentication.\nSee https://docs.doppler.com/reference/api#authentication for auth token types.\nThe Key attribute defaults to dopplerToken if not specified.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"config":{"description":"Doppler config (required if not using a Service Token)","type":"string"},"format":{"description":"Format enables the downloading of secrets as a file (string)","type":"string","enum":["json","dotnet-json","env","yaml","docker"]},"nameTransformer":{"description":"Environment variable compatible name transforms that change secret names to a different format","type":"string","enum":["upper-camel","camel","lower-snake","tf-var","dotnet-env","lower-kebab"]},"project":{"description":"Doppler project (required if not using a Service Token)","type":"string"}}},"fake":{"description":"Fake configures a store with static key/value pairs","type":"object","required":["data"],"properties":{"data":{"type":"array","items":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"value":{"type":"string"},"valueMap":{"description":"Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.","type":"object","additionalProperties":{"type":"string"}},"version":{"type":"string"}}}}}},"gcpsm":{"description":"GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider","type":"object","properties":{"auth":{"description":"Auth defines the information necessary to authenticate against GCP","type":"object","properties":{"secretRef":{"type":"object","properties":{"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"workloadIdentity":{"type":"object","required":["clusterLocation","clusterName","serviceAccountRef"],"properties":{"clusterLocation":{"type":"string"},"clusterName":{"type":"string"},"clusterProjectID":{"type":"string"},"serviceAccountRef":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"projectID":{"description":"ProjectID project where secret is located","type":"string"}}},"gitlab":{"description":"GitLab configures this store to sync secrets using GitLab Variables provider","type":"object","required":["auth"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with a GitLab instance.","type":"object","required":["SecretRef"],"properties":{"SecretRef":{"type":"object","properties":{"accessToken":{"description":"AccessToken is used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"environment":{"description":"Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)","type":"string"},"groupIDs":{"description":"GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.","type":"array","items":{"type":"string"}},"inheritFromGroups":{"description":"InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.","type":"boolean"},"projectID":{"description":"ProjectID specifies a project where secrets are located.","type":"string"},"url":{"description":"URL configures the GitLab instance URL. Defaults to https://gitlab.com/.","type":"string"}}},"ibm":{"description":"IBM configures this store to sync secrets using IBM Cloud provider","type":"object","required":["auth"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with the IBM secrets manager.","type":"object","maxProperties":1,"minProperties":1,"properties":{"containerAuth":{"description":"IBM Container-based auth with IAM Trusted Profile.","type":"object","required":["profile"],"properties":{"iamEndpoint":{"type":"string"},"profile":{"description":"the IBM Trusted Profile","type":"string"},"tokenLocation":{"description":"Location the token is mounted on the pod","type":"string"}}},"secretRef":{"type":"object","properties":{"secretApiKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"serviceUrl":{"description":"ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance","type":"string"}}},"keepersecurity":{"description":"KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider","type":"object","required":["authRef","folderID"],"properties":{"authRef":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"folderID":{"type":"string"}}},"kubernetes":{"description":"Kubernetes configures this store to sync secrets using a Kubernetes cluster provider","type":"object","required":["auth"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with a Kubernetes instance.","type":"object","maxProperties":1,"minProperties":1,"properties":{"cert":{"description":"has both clientCert and clientKey as secretKeySelector","type":"object","properties":{"clientCert":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"clientKey":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"serviceAccount":{"description":"points to a service account that should be used for authentication","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"token":{"description":"use static token to authenticate with","type":"object","properties":{"bearerToken":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"remoteNamespace":{"description":"Remote namespace to fetch the secrets from","type":"string"},"server":{"description":"configures the Kubernetes server Address.","type":"object","properties":{"caBundle":{"description":"CABundle is a base64-encoded CA certificate","type":"string","format":"byte"},"caProvider":{"description":"see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider","type":"object","required":["name","type"],"properties":{"key":{"description":"The key where the CA certificate can be found in the Secret or ConfigMap.","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.\nCan only be defined when used in a ClusterSecretStore.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"url":{"description":"configures the Kubernetes server Address.","type":"string"}}}}},"onepassword":{"description":"OnePassword configures this store to sync secrets using the 1Password Cloud provider","type":"object","required":["auth","connectHost","vaults"],"properties":{"auth":{"description":"Auth defines the information necessary to authenticate against OnePassword Connect Server","type":"object","required":["secretRef"],"properties":{"secretRef":{"description":"OnePasswordAuthSecretRef holds secret references for 1Password credentials.","type":"object","required":["connectTokenSecretRef"],"properties":{"connectTokenSecretRef":{"description":"The ConnectToken is used for authentication to a 1Password Connect Server.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"connectHost":{"description":"ConnectHost defines the OnePassword Connect Server to connect to","type":"string"},"vaults":{"description":"Vaults defines which OnePassword vaults to search in which order","type":"object","additionalProperties":{"type":"integer"}}}},"oracle":{"description":"Oracle configures this store to sync secrets using Oracle Vault provider","type":"object","required":["region","vault"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with the Oracle Vault.\nIf empty, use the instance principal, otherwise the user credentials specified in Auth.","type":"object","required":["secretRef","tenancy","user"],"properties":{"secretRef":{"description":"SecretRef to pass through sensitive information.","type":"object","required":["fingerprint","privatekey"],"properties":{"fingerprint":{"description":"Fingerprint is the fingerprint of the API private key.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"privatekey":{"description":"PrivateKey is the user's API Signing Key in PEM format, used for authentication.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"tenancy":{"description":"Tenancy is the tenancy OCID where user is located.","type":"string"},"user":{"description":"User is an access OCID specific to the account.","type":"string"}}},"compartment":{"description":"Compartment is the vault compartment OCID.\nRequired for PushSecret","type":"string"},"encryptionKey":{"description":"EncryptionKey is the OCID of the encryption key within the vault.\nRequired for PushSecret","type":"string"},"principalType":{"description":"The type of principal to use for authentication. If left blank, the Auth struct will\ndetermine the principal type. This optional field must be specified if using\nworkload identity.","type":"string","enum":["","UserPrincipal","InstancePrincipal","Workload"]},"region":{"description":"Region is the region where vault is located.","type":"string"},"serviceAccountRef":{"description":"ServiceAccountRef specified the service account\nthat should be used when authenticating with WorkloadIdentity.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"vault":{"description":"Vault is the vault's OCID of the specific vault where secret is located.","type":"string"}}},"pulumi":{"description":"Pulumi configures this store to sync secrets using the Pulumi provider","type":"object","required":["accessToken","environment","organization"],"properties":{"accessToken":{"description":"AccessToken is the access tokens to sign in to the Pulumi Cloud Console.","type":"object","properties":{"secretRef":{"description":"SecretRef is a reference to a secret containing the Pulumi API token.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"apiUrl":{"description":"APIURL is the URL of the Pulumi API.","type":"string"},"environment":{"description":"Environment are YAML documents composed of static key-value pairs, programmatic expressions,\ndynamically retrieved values from supported providers including all major clouds,\nand other Pulumi ESC environments.\nTo create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.","type":"string"},"organization":{"description":"Organization are a space to collaborate on shared projects and stacks.\nTo create a new organization, visit https://app.pulumi.com/ and click \"New Organization\".","type":"string"}}},"scaleway":{"description":"Scaleway","type":"object","required":["accessKey","projectId","region","secretKey"],"properties":{"accessKey":{"description":"AccessKey is the non-secret part of the api key.","type":"object","properties":{"secretRef":{"description":"SecretRef references a key in a secret that will be used as value.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"value":{"description":"Value can be specified directly to set a value without using a secret.","type":"string"}}},"apiUrl":{"description":"APIURL is the url of the api to use. Defaults to https://api.scaleway.com","type":"string"},"projectId":{"description":"ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings","type":"string"},"region":{"description":"Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone","type":"string"},"secretKey":{"description":"SecretKey is the non-secret part of the api key.","type":"object","properties":{"secretRef":{"description":"SecretRef references a key in a secret that will be used as value.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"value":{"description":"Value can be specified directly to set a value without using a secret.","type":"string"}}}}},"senhasegura":{"description":"Senhasegura configures this store to sync secrets using senhasegura provider","type":"object","required":["auth","module","url"],"properties":{"auth":{"description":"Auth defines parameters to authenticate in senhasegura","type":"object","required":["clientId","clientSecretSecretRef"],"properties":{"clientId":{"type":"string"},"clientSecretSecretRef":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"ignoreSslCertificate":{"description":"IgnoreSslCertificate defines if SSL certificate must be ignored","type":"boolean"},"module":{"description":"Module defines which senhasegura module should be used to get secrets","type":"string"},"url":{"description":"URL of senhasegura","type":"string"}}},"vault":{"description":"Vault configures this store to sync secrets using Hashi provider","type":"object","required":["auth","server"],"properties":{"auth":{"description":"Auth configures how secret-manager authenticates with the Vault server.","type":"object","properties":{"appRole":{"description":"AppRole authenticates with Vault using the App Role auth mechanism,\nwith the role and secret stored in a Kubernetes Secret resource.","type":"object","required":["path","secretRef"],"properties":{"path":{"description":"Path where the App Role authentication backend is mounted\nin Vault, e.g: \"approle\"","type":"string"},"roleId":{"description":"RoleID configured in the App Role authentication backend when setting\nup the authentication backend in Vault.","type":"string"},"roleRef":{"description":"Reference to a key in a Secret that contains the App Role ID used\nto authenticate with Vault.\nThe `key` field must be specified and denotes which entry within the Secret\nresource is used as the app role id.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretRef":{"description":"Reference to a key in a Secret that contains the App Role secret used\nto authenticate with Vault.\nThe `key` field must be specified and denotes which entry within the Secret\nresource is used as the app role secret.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"cert":{"description":"Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate\nCert authentication method","type":"object","properties":{"clientCert":{"description":"ClientCert is a certificate to authenticate using the Cert Vault\nauthentication method","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretRef":{"description":"SecretRef to a key in a Secret resource containing client private key to\nauthenticate with Vault using the Cert authentication method","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"iam":{"description":"Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials\nAWS IAM authentication method","type":"object","required":["vaultRole"],"properties":{"externalID":{"description":"AWS External ID set on assumed IAM roles","type":"string"},"jwt":{"description":"Specify a service account with IRSA enabled","type":"object","properties":{"serviceAccountRef":{"description":"A reference to a ServiceAccount resource.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"path":{"description":"Path where the AWS auth method is enabled in Vault, e.g: \"aws\"","type":"string"},"region":{"description":"AWS region","type":"string"},"role":{"description":"This is the AWS role to be assumed before talking to vault","type":"string"},"secretRef":{"description":"Specify credentials in a Secret object","type":"object","properties":{"accessKeyIDSecretRef":{"description":"The AccessKeyID is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"secretAccessKeySecretRef":{"description":"The SecretAccessKey is used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"sessionTokenSecretRef":{"description":"The SessionToken used for authentication\nThis must be defined if AccessKeyID and SecretAccessKey are temporary credentials\nsee: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"vaultAwsIamServerID":{"description":"X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws","type":"string"},"vaultRole":{"description":"Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine","type":"string"}}},"jwt":{"description":"Jwt authenticates with Vault by passing role and JWT token using the\nJWT/OIDC authentication method","type":"object","required":["path"],"properties":{"kubernetesServiceAccountToken":{"description":"Optional ServiceAccountToken specifies the Kubernetes service account for which to request\na token for with the `TokenRequest` API.","type":"object","required":["serviceAccountRef"],"properties":{"audiences":{"description":"Optional audiences field that will be used to request a temporary Kubernetes service\naccount token for the service account referenced by `serviceAccountRef`.\nDefaults to a single audience `vault` it not specified.\nDeprecated: use serviceAccountRef.Audiences instead","type":"array","items":{"type":"string"}},"expirationSeconds":{"description":"Optional expiration time in seconds that will be used to request a temporary\nKubernetes service account token for the service account referenced by\n`serviceAccountRef`.\nDeprecated: this will be removed in the future.\nDefaults to 10 minutes.","type":"integer","format":"int64"},"serviceAccountRef":{"description":"Service account field containing the name of a kubernetes ServiceAccount.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"path":{"description":"Path where the JWT authentication backend is mounted\nin Vault, e.g: \"jwt\"","type":"string"},"role":{"description":"Role is a JWT role to authenticate using the JWT/OIDC Vault\nauthentication method","type":"string"},"secretRef":{"description":"Optional SecretRef that refers to a key in a Secret resource containing JWT token to\nauthenticate with Vault using the JWT/OIDC authentication method.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"kubernetes":{"description":"Kubernetes authenticates with Vault by passing the ServiceAccount\ntoken stored in the named Secret resource to the Vault server.","type":"object","required":["mountPath","role"],"properties":{"mountPath":{"description":"Path where the Kubernetes authentication backend is mounted in Vault, e.g:\n\"kubernetes\"","type":"string"},"role":{"description":"A required field containing the Vault Role to assume. A Role binds a\nKubernetes ServiceAccount with a set of Vault policies.","type":"string"},"secretRef":{"description":"Optional secret field containing a Kubernetes ServiceAccount JWT used\nfor authenticating with Vault. If a name is specified without a key,\n`token` is the default. If one is not specified, the one bound to\nthe controller will be used.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"serviceAccountRef":{"description":"Optional service account field containing the name of a kubernetes ServiceAccount.\nIf the service account is specified, the service account secret token JWT will be used\nfor authenticating with Vault. If the service account selector is not supplied,\nthe secretRef will be used instead.","type":"object","required":["name"],"properties":{"audiences":{"description":"Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list","type":"array","items":{"type":"string"}},"name":{"description":"The name of the ServiceAccount resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"ldap":{"description":"Ldap authenticates with Vault by passing username/password pair using\nthe LDAP authentication method","type":"object","required":["path","username"],"properties":{"path":{"description":"Path where the LDAP authentication backend is mounted\nin Vault, e.g: \"ldap\"","type":"string"},"secretRef":{"description":"SecretRef to a key in a Secret resource containing password for the LDAP\nuser used to authenticate with Vault using the LDAP authentication\nmethod","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"username":{"description":"Username is a LDAP user name used to authenticate using the LDAP Vault\nauthentication method","type":"string"}}},"tokenSecretRef":{"description":"TokenSecretRef authenticates with Vault by presenting a token.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"userPass":{"description":"UserPass authenticates with Vault by passing username/password pair","type":"object","required":["path","username"],"properties":{"path":{"description":"Path where the UserPassword authentication backend is mounted\nin Vault, e.g: \"user\"","type":"string"},"secretRef":{"description":"SecretRef to a key in a Secret resource containing password for the\nuser used to authenticate with Vault using the UserPass authentication\nmethod","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"username":{"description":"Username is a user name used to authenticate using the UserPass Vault\nauthentication method","type":"string"}}}}},"caBundle":{"description":"PEM encoded CA bundle used to validate Vault server certificate. Only used\nif the Server URL is using HTTPS protocol. This parameter is ignored for\nplain HTTP protocol connection. If not set the system root certificates\nare used to validate the TLS connection.","type":"string","format":"byte"},"caProvider":{"description":"The provider for the CA bundle to use to validate Vault server certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key where the CA certificate can be found in the Secret or ConfigMap.","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.\nCan only be defined when used in a ClusterSecretStore.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"forwardInconsistent":{"description":"ForwardInconsistent tells Vault to forward read-after-write requests to the Vault\nleader instead of simply retrying within a loop. This can increase performance if\nthe option is enabled serverside.\nhttps://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header","type":"boolean"},"namespace":{"description":"Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows\nVault environments to support Secure Multi-tenancy. e.g: \"ns1\".\nMore about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces","type":"string"},"path":{"description":"Path is the mount path of the Vault KV backend endpoint, e.g:\n\"secret\". The v2 KV secret engine version specific \"/data\" path suffix\nfor fetching secrets from Vault is optional and will be appended\nif not present in specified path.","type":"string"},"readYourWrites":{"description":"ReadYourWrites ensures isolated read-after-write semantics by\nproviding discovered cluster replication states in each request.\nMore information about eventual consistency in Vault can be found here\nhttps://www.vaultproject.io/docs/enterprise/consistency","type":"boolean"},"server":{"description":"Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\".","type":"string"},"tls":{"description":"The configuration used for client side related TLS communication, when the Vault server\nrequires mutual authentication. Only used if the Server URL is using HTTPS protocol.\nThis parameter is ignored for plain HTTP protocol connection.\nIt's worth noting this configuration is different from the \"TLS certificates auth method\",\nwhich is available under the `auth.cert` section.","type":"object","properties":{"certSecretRef":{"description":"CertSecretRef is a certificate added to the transport layer\nwhen communicating with the Vault server.\nIf no key for the Secret is specified, external-secret will default to 'tls.crt'.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}},"keySecretRef":{"description":"KeySecretRef to a key in a Secret resource containing client private key\nadded to the transport layer when communicating with the Vault server.\nIf no key for the Secret is specified, external-secret will default to 'tls.key'.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"version":{"description":"Version is the Vault KV secret engine version. This can be either \"v1\" or\n\"v2\". Version defaults to \"v2\".","type":"string","enum":["v1","v2"]}}},"webhook":{"description":"Webhook configures this store to sync secrets using a generic templated webhook","type":"object","required":["result","url"],"properties":{"body":{"description":"Body","type":"string"},"caBundle":{"description":"PEM encoded CA bundle used to validate webhook server certificate. Only used\nif the Server URL is using HTTPS protocol. This parameter is ignored for\nplain HTTP protocol connection. If not set the system root certificates\nare used to validate the TLS connection.","type":"string","format":"byte"},"caProvider":{"description":"The provider for the CA bundle to use to validate webhook server certificate.","type":"object","required":["name","type"],"properties":{"key":{"description":"The key the value inside of the provider type to use, only used with \"Secret\" type","type":"string"},"name":{"description":"The name of the object located at the provider type.","type":"string"},"namespace":{"description":"The namespace the Provider type is in.","type":"string"},"type":{"description":"The type of provider to use such as \"Secret\", or \"ConfigMap\".","type":"string","enum":["Secret","ConfigMap"]}}},"headers":{"description":"Headers","type":"object","additionalProperties":{"type":"string"}},"method":{"description":"Webhook Method","type":"string"},"result":{"description":"Result formatting","type":"object","properties":{"jsonPath":{"description":"Json path of return value","type":"string"}}},"secrets":{"description":"Secrets to fill in templates\nThese secrets will be passed to the templating function as key value pairs under the given name","type":"array","items":{"type":"object","required":["name","secretRef"],"properties":{"name":{"description":"Name of this secret in templates","type":"string"},"secretRef":{"description":"Secret ref to fill in credentials","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}},"timeout":{"description":"Timeout","type":"string"},"url":{"description":"Webhook url to call","type":"string"}}},"yandexcertificatemanager":{"description":"YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider","type":"object","required":["auth"],"properties":{"apiEndpoint":{"description":"Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')","type":"string"},"auth":{"description":"Auth defines the information necessary to authenticate against Yandex Certificate Manager","type":"object","properties":{"authorizedKeySecretRef":{"description":"The authorized key used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"caProvider":{"description":"The provider for the CA bundle to use to validate Yandex.Cloud server certificate.","type":"object","properties":{"certSecretRef":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}},"yandexlockbox":{"description":"YandexLockbox configures this store to sync secrets using Yandex Lockbox provider","type":"object","required":["auth"],"properties":{"apiEndpoint":{"description":"Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')","type":"string"},"auth":{"description":"Auth defines the information necessary to authenticate against Yandex Lockbox","type":"object","properties":{"authorizedKeySecretRef":{"description":"The authorized key used for authentication","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}},"caProvider":{"description":"The provider for the CA bundle to use to validate Yandex.Cloud server certificate.","type":"object","properties":{"certSecretRef":{"description":"A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.","type":"object","properties":{"key":{"description":"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.","type":"string"},"name":{"description":"The name of the Secret resource being referred to.","type":"string"},"namespace":{"description":"Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.","type":"string"}}}}}}}}},"refreshInterval":{"description":"Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.","type":"integer"},"retrySettings":{"description":"Used to configure http retries if failed","type":"object","properties":{"maxRetries":{"type":"integer","format":"int32"},"retryInterval":{"type":"string"}}}}},"status":{"description":"SecretStoreStatus defines the observed state of the SecretStore.","type":"object","properties":{"capabilities":{"description":"SecretStoreCapabilities defines the possible operations a SecretStore can do.","type":"string"},"conditions":{"type":"array","items":{"type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"type":"string","format":"date-time"},"message":{"type":"string"},"reason":{"type":"string"},"status":{"type":"string"},"type":{"type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"SecretStore","version":"v1beta1"}],"title":"io.external-secrets.v1beta1.SecretStore"},"io.external-secrets.v1beta1.SecretStoreList":{"description":"SecretStoreList is a list of SecretStore","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of secretstores. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.external-secrets.v1beta1.SecretStore"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"external-secrets.io","kind":"SecretStoreList","version":"v1beta1"}],"title":"io.external-secrets.v1beta1.SecretStoreList"},"io.k8s.api.admissionregistration.v1.AuditAnnotation":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.","type":"string"}},"title":"io.k8s.api.admissionregistration.v1.AuditAnnotation"},"io.k8s.api.admissionregistration.v1.ExpressionWarning":{"description":"ExpressionWarning is a warning information that targets a specific expression.","type":"object","required":["fieldRef","warning"],"properties":{"fieldRef":{"description":"The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"","type":"string"},"warning":{"description":"The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.","type":"string"}},"title":"io.k8s.api.admissionregistration.v1.ExpressionWarning"},"io.k8s.api.admissionregistration.v1.MatchCondition":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["name","expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}},"title":"io.k8s.api.admissionregistration.v1.MatchCondition"},"io.k8s.api.admissionregistration.v1.MatchResources":{"description":"MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.NamedRuleWithOperations"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"\n\nPossible enum values:\n - `\"Equivalent\"` means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.\n - `\"Exact\"` means requests should only be sent to the webhook if they exactly match a given rule.","type":"string","enum":["Equivalent","Exact"]},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.NamedRuleWithOperations"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.admissionregistration.v1.MatchResources"},"io.k8s.api.admissionregistration.v1.MutatingWebhook":{"description":"MutatingWebhook describes an admission webhook and the resources and operations it applies to.","type":"object","required":["name","clientConfig","sideEffects","admissionReviewVersions"],"properties":{"admissionReviewVersions":{"description":"AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"clientConfig":{"description":"ClientConfig defines how to communicate with the hook. Required","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.WebhookClientConfig"},"failurePolicy":{"description":"FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.\n\nPossible enum values:\n - `\"Fail\"` means that an error calling the webhook causes the admission to fail.\n - `\"Ignore\"` means that an error calling the webhook is ignored.","type":"string","enum":["Fail","Ignore"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the webhook is called.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the error is ignored and the webhook is skipped","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MatchCondition"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"matchPolicy":{"description":"matchPolicy defines how the \"rules\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.\n\nDefaults to \"Equivalent\"\n\nPossible enum values:\n - `\"Equivalent\"` means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.\n - `\"Exact\"` means requests should only be sent to the webhook if they exactly match a given rule.","type":"string","enum":["Equivalent","Exact"]},"name":{"description":"The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where \"imagepolicy\" is the name of the webhook, and kubernetes.io is the name of the organization. Required.","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"objectSelector":{"description":"ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"reinvocationPolicy":{"description":"reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: the webhook will not be called more than once in a single admission evaluation.\n\nIfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.\n\nDefaults to \"Never\".\n\nPossible enum values:\n - `\"IfNeeded\"` indicates that the mutation may be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial mutation call.\n - `\"Never\"` indicates that the mutation must not be called more than once in a single admission evaluation.","type":"string","enum":["IfNeeded","Never"]},"rules":{"description":"Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.RuleWithOperations"},"x-kubernetes-list-type":"atomic"},"sideEffects":{"description":"SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.\n\nPossible enum values:\n - `\"None\"` means that calling the webhook will have no side effects.\n - `\"NoneOnDryRun\"` means that calling the webhook will possibly have side effects, but if the request being reviewed has the dry-run attribute, the side effects will be suppressed.\n - `\"Some\"` means that calling the webhook will possibly have side effects. If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.\n - `\"Unknown\"` means that no information is known about the side effects of calling the webhook. If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.","type":"string","enum":["None","NoneOnDryRun","Some","Unknown"]},"timeoutSeconds":{"description":"TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.","type":"integer","format":"int32"}},"title":"io.k8s.api.admissionregistration.v1.MutatingWebhook"},"io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration":{"description":"MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"webhooks":{"description":"Webhooks is a list of webhooks and the affected resources and operations.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhook"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"MutatingWebhookConfiguration","version":"v1"}],"title":"io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"},"io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationList":{"description":"MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of MutatingWebhookConfiguration.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"MutatingWebhookConfigurationList","version":"v1"}],"title":"io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationList"},"io.k8s.api.admissionregistration.v1.NamedRuleWithOperations":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string","enum":["*","CONNECT","CREATE","DELETE","UPDATE"]},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".\n\n\nPossible enum values:\n - `\"*\"` means that all scopes are included.\n - `\"Cluster\"` means that scope is limited to cluster-scoped objects. Namespace objects are cluster-scoped.\n - `\"Namespaced\"` means that scope is limited to namespaced objects.","type":"string","enum":["*","Cluster","Namespaced"]}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.admissionregistration.v1.NamedRuleWithOperations"},"io.k8s.api.admissionregistration.v1.ParamKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to. Required.","type":"string"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.admissionregistration.v1.ParamKind"},"io.k8s.api.admissionregistration.v1.ParamRef":{"description":"ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.","type":"object","properties":{"name":{"description":"name is the name of the resource being referenced.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.\n\nA single parameter used for all admission requests can be configured by setting the `name` field, leaving `selector` blank, and setting namespace if `paramKind` is namespace-scoped.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.admissionregistration.v1.ParamRef"},"io.k8s.api.admissionregistration.v1.RuleWithOperations":{"description":"RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string","enum":["*","CONNECT","CREATE","DELETE","UPDATE"]},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".\n\n\nPossible enum values:\n - `\"*\"` means that all scopes are included.\n - `\"Cluster\"` means that scope is limited to cluster-scoped objects. Namespace objects are cluster-scoped.\n - `\"Namespaced\"` means that scope is limited to namespaced objects.","type":"string","enum":["*","Cluster","Namespaced"]}},"title":"io.k8s.api.admissionregistration.v1.RuleWithOperations"},"io.k8s.api.admissionregistration.v1.ServiceReference":{"description":"ServiceReference holds a reference to Service.legacy.k8s.io","type":"object","required":["namespace","name"],"properties":{"name":{"description":"`name` is the name of the service. Required","type":"string"},"namespace":{"description":"`namespace` is the namespace of the service. Required","type":"string"},"path":{"description":"`path` is an optional URL path which will be sent in any request to this service.","type":"string"},"port":{"description":"If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).","type":"integer","format":"int32"}},"title":"io.k8s.api.admissionregistration.v1.ServiceReference"},"io.k8s.api.admissionregistration.v1.TypeChecking":{"description":"TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy","type":"object","properties":{"expressionWarnings":{"description":"The type checking warnings for each expression.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ExpressionWarning"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.admissionregistration.v1.TypeChecking"},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy":{"description":"ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the ValidatingAdmissionPolicy.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicySpec"},"status":{"description":"The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyStatus"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1"}],"title":"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding":{"description":"ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingSpec"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1"}],"title":"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingList":{"description":"ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of PolicyBinding.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBindingList","version":"v1"}],"title":"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingList"},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingSpec":{"description":"ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.","type":"object","properties":{"matchResources":{"description":"MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MatchResources"},"paramRef":{"description":"paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ParamRef"},"policyName":{"description":"PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.","type":"string"},"validationActions":{"description":"validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\\\"message\\\": \\\"Invalid value\\\", {\\\"policy\\\": \\\"policy.example.com\\\", {\\\"binding\\\": \\\"policybinding.example.com\\\", {\\\"expressionIndex\\\": \\\"1\\\", {\\\"validationActions\\\": [\\\"Audit\\\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"type":"string","enum":["Audit","Deny","Warn"]},"x-kubernetes-list-type":"set"}},"title":"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingSpec"},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyList":{"description":"ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ValidatingAdmissionPolicy.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyList","version":"v1"}],"title":"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyList"},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicySpec":{"description":"ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.","type":"object","properties":{"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.AuditAnnotation"},"x-kubernetes-list-type":"atomic"},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.\n\nPossible enum values:\n - `\"Fail\"` means that an error calling the webhook causes the admission to fail.\n - `\"Ignore\"` means that an error calling the webhook is ignored.","type":"string","enum":["Fail","Ignore"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MatchCondition"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MatchResources"},"paramKind":{"description":"ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ParamKind"},"validations":{"description":"Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.Validation"},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.Variable"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"}},"title":"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicySpec"},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyStatus":{"description":"ValidatingAdmissionPolicyStatus represents the status of an admission validation policy.","type":"object","properties":{"conditions":{"description":"The conditions represent the latest available observations of a policy's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"observedGeneration":{"description":"The generation observed by the controller.","type":"integer","format":"int64"},"typeChecking":{"description":"The results of type checking for each expression. Presence of this field indicates the completion of the type checking.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.TypeChecking"}},"title":"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyStatus"},"io.k8s.api.admissionregistration.v1.ValidatingWebhook":{"description":"ValidatingWebhook describes an admission webhook and the resources and operations it applies to.","type":"object","required":["name","clientConfig","sideEffects","admissionReviewVersions"],"properties":{"admissionReviewVersions":{"description":"AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"clientConfig":{"description":"ClientConfig defines how to communicate with the hook. Required","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.WebhookClientConfig"},"failurePolicy":{"description":"FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.\n\nPossible enum values:\n - `\"Fail\"` means that an error calling the webhook causes the admission to fail.\n - `\"Ignore\"` means that an error calling the webhook is ignored.","type":"string","enum":["Fail","Ignore"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the webhook is called.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the error is ignored and the webhook is skipped","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MatchCondition"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"matchPolicy":{"description":"matchPolicy defines how the \"rules\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.\n\nDefaults to \"Equivalent\"\n\nPossible enum values:\n - `\"Equivalent\"` means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.\n - `\"Exact\"` means requests should only be sent to the webhook if they exactly match a given rule.","type":"string","enum":["Equivalent","Exact"]},"name":{"description":"The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where \"imagepolicy\" is the name of the webhook, and kubernetes.io is the name of the organization. Required.","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"objectSelector":{"description":"ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"rules":{"description":"Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.RuleWithOperations"},"x-kubernetes-list-type":"atomic"},"sideEffects":{"description":"SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.\n\nPossible enum values:\n - `\"None\"` means that calling the webhook will have no side effects.\n - `\"NoneOnDryRun\"` means that calling the webhook will possibly have side effects, but if the request being reviewed has the dry-run attribute, the side effects will be suppressed.\n - `\"Some\"` means that calling the webhook will possibly have side effects. If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.\n - `\"Unknown\"` means that no information is known about the side effects of calling the webhook. If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.","type":"string","enum":["None","NoneOnDryRun","Some","Unknown"]},"timeoutSeconds":{"description":"TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.","type":"integer","format":"int32"}},"title":"io.k8s.api.admissionregistration.v1.ValidatingWebhook"},"io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration":{"description":"ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"webhooks":{"description":"Webhooks is a list of webhooks and the affected resources and operations.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhook"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingWebhookConfiguration","version":"v1"}],"title":"io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"},"io.k8s.api.admissionregistration.v1.ValidatingWebhookConfigurationList":{"description":"ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ValidatingWebhookConfiguration.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingWebhookConfigurationList","version":"v1"}],"title":"io.k8s.api.admissionregistration.v1.ValidatingWebhookConfigurationList"},"io.k8s.api.admissionregistration.v1.Validation":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.","type":"string"}},"title":"io.k8s.api.admissionregistration.v1.Validation"},"io.k8s.api.admissionregistration.v1.Variable":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["name","expression"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.admissionregistration.v1.Variable"},"io.k8s.api.admissionregistration.v1.WebhookClientConfig":{"description":"WebhookClientConfig contains the information to make a TLS connection with the webhook","type":"object","properties":{"caBundle":{"description":"`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.","type":"string","format":"byte"},"service":{"description":"`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ServiceReference"},"url":{"description":"`url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.","type":"string"}},"title":"io.k8s.api.admissionregistration.v1.WebhookClientConfig"},"io.k8s.api.apps.v1.ControllerRevision":{"description":"ControllerRevision implements an immutable snapshot of state data. Clients are responsible for serializing and deserializing the objects that contain their internal state. Once a ControllerRevision has been successfully created, it can not be updated. The API Server will fail validation of all requests that attempt to mutate the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However, it may be subject to name and representation changes in future releases, and clients should not depend on its stability. It is primarily for internal use by controllers.","type":"object","required":["revision"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"data":{"description":"Data is the serialized representation of the state.","$ref":"#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"revision":{"description":"Revision indicates the revision of the state represented by Data.","type":"integer","format":"int64"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"ControllerRevision","version":"v1"}],"title":"io.k8s.api.apps.v1.ControllerRevision"},"io.k8s.api.apps.v1.ControllerRevisionList":{"description":"ControllerRevisionList is a resource containing a list of ControllerRevision objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of ControllerRevisions","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.ControllerRevision"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"ControllerRevisionList","version":"v1"}],"title":"io.k8s.api.apps.v1.ControllerRevisionList"},"io.k8s.api.apps.v1.DaemonSet":{"description":"DaemonSet represents the configuration of a daemon set.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"The desired behavior of this daemon set. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSetSpec"},"status":{"description":"The current status of this daemon set. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSetStatus"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"DaemonSet","version":"v1"}],"title":"io.k8s.api.apps.v1.DaemonSet"},"io.k8s.api.apps.v1.DaemonSetCondition":{"description":"DaemonSetCondition describes the state of a DaemonSet at a certain point.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of DaemonSet condition.","type":"string"}},"title":"io.k8s.api.apps.v1.DaemonSetCondition"},"io.k8s.api.apps.v1.DaemonSetList":{"description":"DaemonSetList is a collection of daemon sets.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"A list of daemon sets.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"DaemonSetList","version":"v1"}],"title":"io.k8s.api.apps.v1.DaemonSetList"},"io.k8s.api.apps.v1.DaemonSetSpec":{"description":"DaemonSetSpec is the specification of a daemon set.","type":"object","required":["selector","template"],"properties":{"minReadySeconds":{"description":"The minimum number of seconds for which a newly created DaemonSet pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready).","type":"integer","format":"int32"},"revisionHistoryLimit":{"description":"The number of old history to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. Defaults to 10.","type":"integer","format":"int32"},"selector":{"description":"A label query over pods that are managed by the daemon set. Must match in order to be controlled. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"template":{"description":"An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template's node selector (or on every node if no node selector is specified). The only allowed template.spec.restartPolicy value is \"Always\". More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template","$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec"},"updateStrategy":{"description":"An update strategy to replace existing DaemonSet pods with new pods.","$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSetUpdateStrategy"}},"title":"io.k8s.api.apps.v1.DaemonSetSpec"},"io.k8s.api.apps.v1.DaemonSetStatus":{"description":"DaemonSetStatus represents the current status of a daemon set.","type":"object","required":["currentNumberScheduled","numberMisscheduled","desiredNumberScheduled","numberReady"],"properties":{"collisionCount":{"description":"Count of hash collisions for the DaemonSet. The DaemonSet controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ControllerRevision.","type":"integer","format":"int32"},"conditions":{"description":"Represents the latest available observations of a DaemonSet's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSetCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"currentNumberScheduled":{"description":"The number of nodes that are running at least 1 daemon pod and are supposed to run the daemon pod. More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/","type":"integer","format":"int32"},"desiredNumberScheduled":{"description":"The total number of nodes that should be running the daemon pod (including nodes correctly running the daemon pod). More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/","type":"integer","format":"int32"},"numberAvailable":{"description":"The number of nodes that should be running the daemon pod and have one or more of the daemon pod running and available (ready for at least spec.minReadySeconds)","type":"integer","format":"int32"},"numberMisscheduled":{"description":"The number of nodes that are running the daemon pod, but are not supposed to run the daemon pod. More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/","type":"integer","format":"int32"},"numberReady":{"description":"numberReady is the number of nodes that should be running the daemon pod and have one or more of the daemon pod running with a Ready Condition.","type":"integer","format":"int32"},"numberUnavailable":{"description":"The number of nodes that should be running the daemon pod and have none of the daemon pod running and available (ready for at least spec.minReadySeconds)","type":"integer","format":"int32"},"observedGeneration":{"description":"The most recent generation observed by the daemon set controller.","type":"integer","format":"int64"},"updatedNumberScheduled":{"description":"The total number of nodes that are running updated daemon pod","type":"integer","format":"int32"}},"title":"io.k8s.api.apps.v1.DaemonSetStatus"},"io.k8s.api.apps.v1.DaemonSetUpdateStrategy":{"description":"DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.","type":"object","properties":{"rollingUpdate":{"description":"Rolling update config params. Present only if type = \"RollingUpdate\".","$ref":"#/definitions/io.k8s.api.apps.v1.RollingUpdateDaemonSet"},"type":{"description":"Type of daemon set update. Can be \"RollingUpdate\" or \"OnDelete\". Default is RollingUpdate.\n\nPossible enum values:\n - `\"OnDelete\"` Replace the old daemons only when it's killed\n - `\"RollingUpdate\"` Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other.","type":"string","enum":["OnDelete","RollingUpdate"]}},"title":"io.k8s.api.apps.v1.DaemonSetUpdateStrategy"},"io.k8s.api.apps.v1.Deployment":{"description":"Deployment enables declarative updates for Pods and ReplicaSets.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the Deployment.","$ref":"#/definitions/io.k8s.api.apps.v1.DeploymentSpec"},"status":{"description":"Most recently observed status of the Deployment.","$ref":"#/definitions/io.k8s.api.apps.v1.DeploymentStatus"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"Deployment","version":"v1"}],"title":"io.k8s.api.apps.v1.Deployment"},"io.k8s.api.apps.v1.DeploymentCondition":{"description":"DeploymentCondition describes the state of a deployment at a certain point.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"lastUpdateTime":{"description":"The last time this condition was updated.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of deployment condition.","type":"string"}},"title":"io.k8s.api.apps.v1.DeploymentCondition"},"io.k8s.api.apps.v1.DeploymentList":{"description":"DeploymentList is a list of Deployments.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of Deployments.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"DeploymentList","version":"v1"}],"title":"io.k8s.api.apps.v1.DeploymentList"},"io.k8s.api.apps.v1.DeploymentSpec":{"description":"DeploymentSpec is the specification of the desired behavior of the Deployment.","type":"object","required":["selector","template"],"properties":{"minReadySeconds":{"description":"Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)","type":"integer","format":"int32"},"paused":{"description":"Indicates that the deployment is paused.","type":"boolean"},"progressDeadlineSeconds":{"description":"The maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deployments and a condition with a ProgressDeadlineExceeded reason will be surfaced in the deployment status. Note that progress will not be estimated during the time a deployment is paused. Defaults to 600s.","type":"integer","format":"int32"},"replicas":{"description":"Number of desired pods. This is a pointer to distinguish between explicit zero and not specified. Defaults to 1.","type":"integer","format":"int32"},"revisionHistoryLimit":{"description":"The number of old ReplicaSets to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. Defaults to 10.","type":"integer","format":"int32"},"selector":{"description":"Label selector for pods. Existing ReplicaSets whose pods are selected by this will be the ones affected by this deployment. It must match the pod template's labels.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"strategy":{"description":"The deployment strategy to use to replace existing pods with new ones.","$ref":"#/definitions/io.k8s.api.apps.v1.DeploymentStrategy","x-kubernetes-patch-strategy":"retainKeys"},"template":{"description":"Template describes the pods that will be created. The only allowed template.spec.restartPolicy value is \"Always\".","$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec"}},"title":"io.k8s.api.apps.v1.DeploymentSpec"},"io.k8s.api.apps.v1.DeploymentStatus":{"description":"DeploymentStatus is the most recently observed status of the Deployment.","type":"object","properties":{"availableReplicas":{"description":"Total number of available non-terminating pods (ready for at least minReadySeconds) targeted by this deployment.","type":"integer","format":"int32"},"collisionCount":{"description":"Count of hash collisions for the Deployment. The Deployment controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ReplicaSet.","type":"integer","format":"int32"},"conditions":{"description":"Represents the latest available observations of a deployment's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.DeploymentCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"observedGeneration":{"description":"The generation observed by the deployment controller.","type":"integer","format":"int64"},"readyReplicas":{"description":"Total number of non-terminating pods targeted by this Deployment with a Ready Condition.","type":"integer","format":"int32"},"replicas":{"description":"Total number of non-terminating pods targeted by this deployment (their labels match the selector).","type":"integer","format":"int32"},"terminatingReplicas":{"description":"Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).","type":"integer","format":"int32"},"unavailableReplicas":{"description":"Total number of unavailable pods targeted by this deployment. This is the total number of pods that are still required for the deployment to have 100% available capacity. They may either be pods that are running but not yet available or pods that still have not been created.","type":"integer","format":"int32"},"updatedReplicas":{"description":"Total number of non-terminating pods targeted by this deployment that have the desired template spec.","type":"integer","format":"int32"}},"title":"io.k8s.api.apps.v1.DeploymentStatus"},"io.k8s.api.apps.v1.DeploymentStrategy":{"description":"DeploymentStrategy describes how to replace existing pods with new ones.","type":"object","properties":{"rollingUpdate":{"description":"Rolling update config params. Present only if DeploymentStrategyType = RollingUpdate.","$ref":"#/definitions/io.k8s.api.apps.v1.RollingUpdateDeployment"},"type":{"description":"Type of deployment. Can be \"Recreate\" or \"RollingUpdate\". Default is RollingUpdate.\n\nPossible enum values:\n - `\"Recreate\"` Kill all existing pods before creating new ones.\n - `\"RollingUpdate\"` Replace the old ReplicaSets by new one using rolling update i.e gradually scale down the old ReplicaSets and scale up the new one.","type":"string","enum":["Recreate","RollingUpdate"]}},"title":"io.k8s.api.apps.v1.DeploymentStrategy"},"io.k8s.api.apps.v1.ReplicaSet":{"description":"ReplicaSet ensures that a specified number of pod replicas are running at any given time.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"If the Labels of a ReplicaSet are empty, they are defaulted to be the same as the Pod(s) that the ReplicaSet manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the specification of the desired behavior of the ReplicaSet. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSetSpec"},"status":{"description":"Status is the most recently observed status of the ReplicaSet. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSetStatus"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"ReplicaSet","version":"v1"}],"title":"io.k8s.api.apps.v1.ReplicaSet"},"io.k8s.api.apps.v1.ReplicaSetCondition":{"description":"ReplicaSetCondition describes the state of a replica set at a certain point.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"The last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of replica set condition.","type":"string"}},"title":"io.k8s.api.apps.v1.ReplicaSetCondition"},"io.k8s.api.apps.v1.ReplicaSetList":{"description":"ReplicaSetList is a collection of ReplicaSets.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ReplicaSets. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"ReplicaSetList","version":"v1"}],"title":"io.k8s.api.apps.v1.ReplicaSetList"},"io.k8s.api.apps.v1.ReplicaSetSpec":{"description":"ReplicaSetSpec is the specification of a ReplicaSet.","type":"object","required":["selector"],"properties":{"minReadySeconds":{"description":"Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)","type":"integer","format":"int32"},"replicas":{"description":"Replicas is the number of desired pods. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset","type":"integer","format":"int32"},"selector":{"description":"Selector is a label query over pods that should match the replica count. Label keys and values that must match in order to be controlled by this replica set. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"template":{"description":"Template is the object that describes the pod that will be created if insufficient replicas are detected. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/#pod-template","$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec"}},"title":"io.k8s.api.apps.v1.ReplicaSetSpec"},"io.k8s.api.apps.v1.ReplicaSetStatus":{"description":"ReplicaSetStatus represents the current status of a ReplicaSet.","type":"object","required":["replicas"],"properties":{"availableReplicas":{"description":"The number of available non-terminating pods (ready for at least minReadySeconds) for this replica set.","type":"integer","format":"int32"},"conditions":{"description":"Represents the latest available observations of a replica set's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSetCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"fullyLabeledReplicas":{"description":"The number of non-terminating pods that have labels matching the labels of the pod template of the replicaset.","type":"integer","format":"int32"},"observedGeneration":{"description":"ObservedGeneration reflects the generation of the most recently observed ReplicaSet.","type":"integer","format":"int64"},"readyReplicas":{"description":"The number of non-terminating pods targeted by this ReplicaSet with a Ready Condition.","type":"integer","format":"int32"},"replicas":{"description":"Replicas is the most recently observed number of non-terminating pods. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset","type":"integer","format":"int32"},"terminatingReplicas":{"description":"The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).","type":"integer","format":"int32"}},"title":"io.k8s.api.apps.v1.ReplicaSetStatus"},"io.k8s.api.apps.v1.RollingUpdateDaemonSet":{"description":"Spec to control the desired behavior of daemon set rolling update.","type":"object","properties":{"maxSurge":{"description":"The maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during during an update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up to a minimum of 1. Default value is 0. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their a new pod created before the old pod is marked as deleted. The update starts by launching new pods on 30% of nodes. Once an updated pod is available (Ready for at least minReadySeconds) the old DaemonSet pod on that node is marked deleted. If the old pod becomes unavailable for any reason (Ready transitions to false, is evicted, or is drained) an updated pod is immediately created on that node without considering surge limits. Allowing surge implies the possibility that the resources consumed by the daemonset on any given node can double if the readiness check fails, and so resource intensive daemonsets should take into account that they may cause evictions during disruption.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"maxUnavailable":{"description":"The maximum number of DaemonSet pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of total number of DaemonSet pods at the start of the update (ex: 10%). Absolute number is calculated from percentage by rounding up. This cannot be 0 if MaxSurge is 0 Default value is 1. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their pods stopped for an update at any given time. The update starts by stopping at most 30% of those DaemonSet pods and then brings up new DaemonSet pods in their place. Once the new pods are available, it then proceeds onto other DaemonSet pods, thus ensuring that at least 70% of original number of DaemonSet pods are available at all times during the update.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"}},"title":"io.k8s.api.apps.v1.RollingUpdateDaemonSet"},"io.k8s.api.apps.v1.RollingUpdateDeployment":{"description":"Spec to control the desired behavior of rolling update.","type":"object","properties":{"maxSurge":{"description":"The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 25%. Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new ReplicaSet can be scaled up further, ensuring that total number of pods running at any time during the update is at most 130% of desired pods.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"maxUnavailable":{"description":"The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 25%. Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old ReplicaSet can be scaled down further, followed by scaling up the new ReplicaSet, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"}},"title":"io.k8s.api.apps.v1.RollingUpdateDeployment"},"io.k8s.api.apps.v1.RollingUpdateStatefulSetStrategy":{"description":"RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.","type":"object","properties":{"maxUnavailable":{"description":"The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable. This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"partition":{"description":"Partition indicates the ordinal at which the StatefulSet should be partitioned for updates. During a rolling update, all pods from ordinal Replicas-1 to Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. This is helpful in being able to do a canary based deployment. The default value is 0.","type":"integer","format":"int32"}},"title":"io.k8s.api.apps.v1.RollingUpdateStatefulSetStrategy"},"io.k8s.api.apps.v1.StatefulSet":{"description":"StatefulSet represents a set of pods with consistent identities. Identities are defined as:\n  - Network: A single stable DNS and hostname.\n  - Storage: As many VolumeClaims as requested.\n\nThe StatefulSet guarantees that a given network identity will always map to the same storage identity.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the desired identities of pods in this set.","$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetSpec"},"status":{"description":"Status is the current status of Pods in this StatefulSet. This data may be out of date by some window of time.","$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetStatus"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"StatefulSet","version":"v1"}],"title":"io.k8s.api.apps.v1.StatefulSet"},"io.k8s.api.apps.v1.StatefulSetCondition":{"description":"StatefulSetCondition describes the state of a statefulset at a certain point.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of statefulset condition.","type":"string"}},"title":"io.k8s.api.apps.v1.StatefulSetCondition"},"io.k8s.api.apps.v1.StatefulSetList":{"description":"StatefulSetList is a collection of StatefulSets.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of stateful sets.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"StatefulSetList","version":"v1"}],"title":"io.k8s.api.apps.v1.StatefulSetList"},"io.k8s.api.apps.v1.StatefulSetOrdinals":{"description":"StatefulSetOrdinals describes the policy used for replica ordinal assignment in this StatefulSet.","type":"object","properties":{"start":{"description":"start is the number representing the first replica's index. It may be used to number replicas from an alternate index (eg: 1-indexed) over the default 0-indexed names, or to orchestrate progressive movement of replicas from one StatefulSet to another. If set, replica indices will be in the range:\n  [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas).\nIf unset, defaults to 0. Replica indices will be in the range:\n  [0, .spec.replicas).","type":"integer","format":"int32"}},"title":"io.k8s.api.apps.v1.StatefulSetOrdinals"},"io.k8s.api.apps.v1.StatefulSetPersistentVolumeClaimRetentionPolicy":{"description":"StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs created from the StatefulSet VolumeClaimTemplates.","type":"object","properties":{"whenDeleted":{"description":"WhenDeleted specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is deleted. The default policy of `Retain` causes PVCs to not be affected by StatefulSet deletion. The `Delete` policy causes those PVCs to be deleted.","type":"string"},"whenScaled":{"description":"WhenScaled specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is scaled down. The default policy of `Retain` causes PVCs to not be affected by a scaledown. The `Delete` policy causes the associated PVCs for any excess pods above the replica count to be deleted.","type":"string"}},"title":"io.k8s.api.apps.v1.StatefulSetPersistentVolumeClaimRetentionPolicy"},"io.k8s.api.apps.v1.StatefulSetSpec":{"description":"A StatefulSetSpec is the specification of a StatefulSet.","type":"object","required":["selector","template"],"properties":{"minReadySeconds":{"description":"Minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)","type":"integer","format":"int32"},"ordinals":{"description":"ordinals controls the numbering of replica indices in a StatefulSet. The default ordinals behavior assigns a \"0\" index to the first replica and increments the index by one for each additional replica requested.","$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetOrdinals"},"persistentVolumeClaimRetentionPolicy":{"description":"persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent volume claims created from volumeClaimTemplates. By default, all persistent volume claims are created as needed and retained until manually deleted. This policy allows the lifecycle to be altered, for example by deleting persistent volume claims when their stateful set is deleted, or when their pod is scaled down.","$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetPersistentVolumeClaimRetentionPolicy"},"podManagementPolicy":{"description":"podManagementPolicy controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. The default policy is `OrderedReady`, where pods are created in increasing order (pod-0, then pod-1, etc) and the controller will wait until each pod is ready before continuing. When scaling down, the pods are removed in the opposite order. The alternative policy is `Parallel` which will create pods in parallel to match the desired scale without waiting, and on scale down will delete all pods at once.\n\nPossible enum values:\n - `\"OrderedReady\"` will create pods in strictly increasing order on scale up and strictly decreasing order on scale down, progressing only when the previous pod is ready or terminated. At most one pod will be changed at any time.\n - `\"Parallel\"` will create and delete pods as soon as the stateful set replica count is changed, and will not wait for pods to be ready or complete termination.","type":"string","enum":["OrderedReady","Parallel"]},"replicas":{"description":"replicas is the desired number of replicas of the given Template. These are replicas in the sense that they are instantiations of the same Template, but individual replicas also have a consistent identity. If unspecified, defaults to 1.","type":"integer","format":"int32"},"revisionHistoryLimit":{"description":"revisionHistoryLimit is the maximum number of revisions that will be maintained in the StatefulSet's revision history. The revision history consists of all revisions not represented by a currently applied StatefulSetSpec version. The default value is 10.","type":"integer","format":"int32"},"selector":{"description":"selector is a label query over pods that should match the replica count. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"serviceName":{"description":"serviceName is the name of the service that governs this StatefulSet. This service must exist before the StatefulSet, and is responsible for the network identity of the set. Pods get DNS/hostnames that follow the pattern: pod-specific-string.serviceName.default.svc.cluster.local where \"pod-specific-string\" is managed by the StatefulSet controller.","type":"string"},"template":{"description":"template is the object that describes the pod that will be created if insufficient replicas are detected. Each pod stamped out by the StatefulSet will fulfill this Template, but have a unique identity from the rest of the StatefulSet. Each pod will be named with the format <statefulsetname>-<podindex>. For example, a pod in a StatefulSet named \"web\" with index number \"3\" would be named \"web-3\". The only allowed template.spec.restartPolicy value is \"Always\".","$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec"},"updateStrategy":{"description":"updateStrategy indicates the StatefulSetUpdateStrategy that will be employed to update Pods in the StatefulSet when a revision is made to Template.","$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetUpdateStrategy"},"volumeClaimTemplates":{"description":"volumeClaimTemplates is a list of claims that pods are allowed to reference. The StatefulSet controller is responsible for mapping network identities to claims in a way that maintains the identity of a pod. Every claim in this list must have at least one matching (by name) volumeMount in one container in the template. A claim in this list takes precedence over any volumes in the template, with the same name.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.apps.v1.StatefulSetSpec"},"io.k8s.api.apps.v1.StatefulSetStatus":{"description":"StatefulSetStatus represents the current state of a StatefulSet.","type":"object","required":["replicas"],"properties":{"availableReplicas":{"description":"Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset.","type":"integer","format":"int32"},"collisionCount":{"description":"collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ControllerRevision.","type":"integer","format":"int32"},"conditions":{"description":"Represents the latest available observations of a statefulset's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"currentReplicas":{"description":"currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version indicated by currentRevision.","type":"integer","format":"int32"},"currentRevision":{"description":"currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence [0,currentReplicas).","type":"string"},"observedGeneration":{"description":"observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the StatefulSet's generation, which is updated on mutation by the API Server.","type":"integer","format":"int64"},"readyReplicas":{"description":"readyReplicas is the number of pods created for this StatefulSet with a Ready Condition.","type":"integer","format":"int32"},"replicas":{"description":"replicas is the number of Pods created by the StatefulSet controller.","type":"integer","format":"int32"},"updateRevision":{"description":"updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence [replicas-updatedReplicas,replicas)","type":"string"},"updatedReplicas":{"description":"updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version indicated by updateRevision.","type":"integer","format":"int32"}},"title":"io.k8s.api.apps.v1.StatefulSetStatus"},"io.k8s.api.apps.v1.StatefulSetUpdateStrategy":{"description":"StatefulSetUpdateStrategy indicates the strategy that the StatefulSet controller will use to perform updates. It includes any additional parameters necessary to perform the update for the indicated strategy.","type":"object","properties":{"rollingUpdate":{"description":"RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.","$ref":"#/definitions/io.k8s.api.apps.v1.RollingUpdateStatefulSetStrategy"},"type":{"description":"Type indicates the type of the StatefulSetUpdateStrategy. Default is RollingUpdate.\n\nPossible enum values:\n - `\"OnDelete\"` triggers the legacy behavior. Version tracking and ordered rolling restarts are disabled. Pods are recreated from the StatefulSetSpec when they are manually deleted. When a scale operation is performed with this strategy,specification version indicated by the StatefulSet's currentRevision.\n - `\"RollingUpdate\"` indicates that update will be applied to all Pods in the StatefulSet with respect to the StatefulSet ordering constraints. When a scale operation is performed with this strategy, new Pods will be created from the specification version indicated by the StatefulSet's updateRevision.","type":"string","enum":["OnDelete","RollingUpdate"]}},"title":"io.k8s.api.apps.v1.StatefulSetUpdateStrategy"},"io.k8s.api.authentication.v1.BoundObjectReference":{"description":"BoundObjectReference is a reference to an object that a token is bound to.","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"kind":{"description":"Kind of the referent. Valid kinds are 'Pod' and 'Secret'.","type":"string"},"name":{"description":"Name of the referent.","type":"string"},"uid":{"description":"UID of the referent.","type":"string"}},"title":"io.k8s.api.authentication.v1.BoundObjectReference"},"io.k8s.api.authentication.v1.SelfSubjectReview":{"description":"SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"status":{"description":"Status is filled in by the server with the user attributes.","$ref":"#/definitions/io.k8s.api.authentication.v1.SelfSubjectReviewStatus"}},"x-kubernetes-group-version-kind":[{"group":"authentication.k8s.io","kind":"SelfSubjectReview","version":"v1"}],"title":"io.k8s.api.authentication.v1.SelfSubjectReview"},"io.k8s.api.authentication.v1.SelfSubjectReviewStatus":{"description":"SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.","type":"object","properties":{"userInfo":{"description":"User attributes of the user making this request.","$ref":"#/definitions/io.k8s.api.authentication.v1.UserInfo"}},"title":"io.k8s.api.authentication.v1.SelfSubjectReviewStatus"},"io.k8s.api.authentication.v1.TokenRequest":{"description":"TokenRequest requests a token for a given service account.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec holds information about the request being evaluated","$ref":"#/definitions/io.k8s.api.authentication.v1.TokenRequestSpec"},"status":{"description":"Status is filled in by the server and indicates whether the token can be authenticated.","$ref":"#/definitions/io.k8s.api.authentication.v1.TokenRequestStatus"}},"x-kubernetes-group-version-kind":[{"group":"authentication.k8s.io","kind":"TokenRequest","version":"v1"}],"title":"io.k8s.api.authentication.v1.TokenRequest"},"io.k8s.api.authentication.v1.TokenRequestSpec":{"description":"TokenRequestSpec contains client provided parameters of a token request.","type":"object","required":["audiences"],"properties":{"audiences":{"description":"Audiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"boundObjectRef":{"description":"BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server's TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation.","$ref":"#/definitions/io.k8s.api.authentication.v1.BoundObjectReference"},"expirationSeconds":{"description":"ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.","type":"integer","format":"int64"}},"title":"io.k8s.api.authentication.v1.TokenRequestSpec"},"io.k8s.api.authentication.v1.TokenRequestStatus":{"description":"TokenRequestStatus is the result of a token request.","type":"object","required":["token","expirationTimestamp"],"properties":{"expirationTimestamp":{"description":"ExpirationTimestamp is the time of expiration of the returned token.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"token":{"description":"Token is the opaque bearer token.","type":"string"}},"title":"io.k8s.api.authentication.v1.TokenRequestStatus"},"io.k8s.api.authentication.v1.TokenReview":{"description":"TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec holds information about the request being evaluated","$ref":"#/definitions/io.k8s.api.authentication.v1.TokenReviewSpec"},"status":{"description":"Status is filled in by the server and indicates whether the request can be authenticated.","$ref":"#/definitions/io.k8s.api.authentication.v1.TokenReviewStatus"}},"x-kubernetes-group-version-kind":[{"group":"authentication.k8s.io","kind":"TokenReview","version":"v1"}],"title":"io.k8s.api.authentication.v1.TokenReview"},"io.k8s.api.authentication.v1.TokenReviewSpec":{"description":"TokenReviewSpec is a description of the token authentication request.","type":"object","properties":{"audiences":{"description":"Audiences is a list of the identifiers that the resource server presented with the token identifies as. Audience-aware token authenticators will verify that the token was intended for at least one of the audiences in this list. If no audiences are provided, the audience will default to the audience of the Kubernetes apiserver.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"token":{"description":"Token is the opaque bearer token.","type":"string"}},"title":"io.k8s.api.authentication.v1.TokenReviewSpec"},"io.k8s.api.authentication.v1.TokenReviewStatus":{"description":"TokenReviewStatus is the result of the token authentication request.","type":"object","properties":{"audiences":{"description":"Audiences are audience identifiers chosen by the authenticator that are compatible with both the TokenReview and token. An identifier is any identifier in the intersection of the TokenReviewSpec audiences and the token's audiences. A client of the TokenReview API that sets the spec.audiences field should validate that a compatible audience identifier is returned in the status.audiences field to ensure that the TokenReview server is audience aware. If a TokenReview returns an empty status.audience field where status.authenticated is \"true\", the token is valid against the audience of the Kubernetes API server.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"authenticated":{"description":"Authenticated indicates that the token was associated with a known user.","type":"boolean"},"error":{"description":"Error indicates that the token couldn't be checked","type":"string"},"user":{"description":"User is the UserInfo associated with the provided token.","$ref":"#/definitions/io.k8s.api.authentication.v1.UserInfo"}},"title":"io.k8s.api.authentication.v1.TokenReviewStatus"},"io.k8s.api.authentication.v1.UserInfo":{"description":"UserInfo holds the information about the user needed to implement the user.Info interface.","type":"object","properties":{"extra":{"description":"Any additional information provided by the authenticator.","type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"groups":{"description":"The names of groups this user is a part of.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"uid":{"description":"A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.","type":"string"},"username":{"description":"The name that uniquely identifies this user among all active users.","type":"string"}},"title":"io.k8s.api.authentication.v1.UserInfo"},"io.k8s.api.authorization.v1.FieldSelectorAttributes":{"description":"FieldSelectorAttributes indicates a field limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.","type":"object","properties":{"rawSelector":{"description":"rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.","type":"string"},"requirements":{"description":"requirements is the parsed interpretation of a field selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.FieldSelectorRequirement"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.authorization.v1.FieldSelectorAttributes"},"io.k8s.api.authorization.v1.LabelSelectorAttributes":{"description":"LabelSelectorAttributes indicates a label limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.","type":"object","properties":{"rawSelector":{"description":"rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.","type":"string"},"requirements":{"description":"requirements is the parsed interpretation of a label selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.authorization.v1.LabelSelectorAttributes"},"io.k8s.api.authorization.v1.LocalSubjectAccessReview":{"description":"LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace you made the request against.  If empty, it is defaulted.","$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewSpec"},"status":{"description":"Status is filled in by the server and indicates whether the request is allowed or not","$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewStatus"}},"x-kubernetes-group-version-kind":[{"group":"authorization.k8s.io","kind":"LocalSubjectAccessReview","version":"v1"}],"title":"io.k8s.api.authorization.v1.LocalSubjectAccessReview"},"io.k8s.api.authorization.v1.NonResourceAttributes":{"description":"NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface","type":"object","properties":{"path":{"description":"Path is the URL path of the request","type":"string"},"verb":{"description":"Verb is the standard HTTP verb","type":"string"}},"title":"io.k8s.api.authorization.v1.NonResourceAttributes"},"io.k8s.api.authorization.v1.NonResourceRule":{"description":"NonResourceRule holds information that describes a rule for the non-resource","type":"object","required":["verbs"],"properties":{"nonResourceURLs":{"description":"NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path.  \"*\" means all.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"verbs":{"description":"Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  \"*\" means all.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.authorization.v1.NonResourceRule"},"io.k8s.api.authorization.v1.ResourceAttributes":{"description":"ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface","type":"object","properties":{"fieldSelector":{"description":"fieldSelector describes the limitation on access based on field.  It can only limit access, not broaden it.","$ref":"#/definitions/io.k8s.api.authorization.v1.FieldSelectorAttributes"},"group":{"description":"Group is the API Group of the Resource.  \"*\" means all.","type":"string"},"labelSelector":{"description":"labelSelector describes the limitation on access based on labels.  It can only limit access, not broaden it.","$ref":"#/definitions/io.k8s.api.authorization.v1.LabelSelectorAttributes"},"name":{"description":"Name is the name of the resource being requested for a \"get\" or deleted for a \"delete\". \"\" (empty) means all.","type":"string"},"namespace":{"description":"Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces \"\" (empty) is defaulted for LocalSubjectAccessReviews \"\" (empty) is empty for cluster-scoped resources \"\" (empty) means \"all\" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview","type":"string"},"resource":{"description":"Resource is one of the existing resource types.  \"*\" means all.","type":"string"},"subresource":{"description":"Subresource is one of the existing resource types.  \"\" means none.","type":"string"},"verb":{"description":"Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  \"*\" means all.","type":"string"},"version":{"description":"Version is the API Version of the Resource.  \"*\" means all.","type":"string"}},"title":"io.k8s.api.authorization.v1.ResourceAttributes"},"io.k8s.api.authorization.v1.ResourceRule":{"description":"ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.","type":"object","required":["verbs"],"properties":{"apiGroups":{"description":"APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.  \"*\" means all.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  \"*\" means all.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.  \"*\" means all in the specified apiGroups.\n \"*/foo\" represents the subresource 'foo' for all resources in the specified apiGroups.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"verbs":{"description":"Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  \"*\" means all.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.authorization.v1.ResourceRule"},"io.k8s.api.authorization.v1.SelfSubjectAccessReview":{"description":"SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a spec.namespace means \"in all namespaces\".  Self is a special case, because users should always be able to check whether they can perform an action","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec holds information about the request being evaluated.  user and groups must be empty","$ref":"#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReviewSpec"},"status":{"description":"Status is filled in by the server and indicates whether the request is allowed or not","$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewStatus"}},"x-kubernetes-group-version-kind":[{"group":"authorization.k8s.io","kind":"SelfSubjectAccessReview","version":"v1"}],"title":"io.k8s.api.authorization.v1.SelfSubjectAccessReview"},"io.k8s.api.authorization.v1.SelfSubjectAccessReviewSpec":{"description":"SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set","type":"object","properties":{"nonResourceAttributes":{"description":"NonResourceAttributes describes information for a non-resource access request","$ref":"#/definitions/io.k8s.api.authorization.v1.NonResourceAttributes"},"resourceAttributes":{"description":"ResourceAuthorizationAttributes describes information for a resource access request","$ref":"#/definitions/io.k8s.api.authorization.v1.ResourceAttributes"}},"title":"io.k8s.api.authorization.v1.SelfSubjectAccessReviewSpec"},"io.k8s.api.authorization.v1.SelfSubjectRulesReview":{"description":"SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec holds information about the request being evaluated.","$ref":"#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReviewSpec"},"status":{"description":"Status is filled in by the server and indicates the set of actions a user can perform.","$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectRulesReviewStatus"}},"x-kubernetes-group-version-kind":[{"group":"authorization.k8s.io","kind":"SelfSubjectRulesReview","version":"v1"}],"title":"io.k8s.api.authorization.v1.SelfSubjectRulesReview"},"io.k8s.api.authorization.v1.SelfSubjectRulesReviewSpec":{"description":"SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.","type":"object","properties":{"namespace":{"description":"Namespace to evaluate rules for. Required.","type":"string"}},"title":"io.k8s.api.authorization.v1.SelfSubjectRulesReviewSpec"},"io.k8s.api.authorization.v1.SubjectAccessReview":{"description":"SubjectAccessReview checks whether or not a user or group can perform an action.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec holds information about the request being evaluated","$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewSpec"},"status":{"description":"Status is filled in by the server and indicates whether the request is allowed or not","$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewStatus"}},"x-kubernetes-group-version-kind":[{"group":"authorization.k8s.io","kind":"SubjectAccessReview","version":"v1"}],"title":"io.k8s.api.authorization.v1.SubjectAccessReview"},"io.k8s.api.authorization.v1.SubjectAccessReviewSpec":{"description":"SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set","type":"object","properties":{"extra":{"description":"Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer it needs a reflection here.","type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"groups":{"description":"Groups is the groups you're testing for.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"nonResourceAttributes":{"description":"NonResourceAttributes describes information for a non-resource access request","$ref":"#/definitions/io.k8s.api.authorization.v1.NonResourceAttributes"},"resourceAttributes":{"description":"ResourceAuthorizationAttributes describes information for a resource access request","$ref":"#/definitions/io.k8s.api.authorization.v1.ResourceAttributes"},"uid":{"description":"UID information about the requesting user.","type":"string"},"user":{"description":"User is the user you're testing for. If you specify \"User\" but not \"Groups\", then is it interpreted as \"What if User were not a member of any groups","type":"string"}},"title":"io.k8s.api.authorization.v1.SubjectAccessReviewSpec"},"io.k8s.api.authorization.v1.SubjectAccessReviewStatus":{"description":"SubjectAccessReviewStatus","type":"object","required":["allowed"],"properties":{"allowed":{"description":"Allowed is required. True if the action would be allowed, false otherwise.","type":"boolean"},"denied":{"description":"Denied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied may not be true if Allowed is true.","type":"boolean"},"evaluationError":{"description":"EvaluationError is an indication that some error occurred during the authorization check. It is entirely possible to get an error and be able to continue determine authorization status in spite of it. For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.","type":"string"},"reason":{"description":"Reason is optional.  It indicates why a request was allowed or denied.","type":"string"}},"title":"io.k8s.api.authorization.v1.SubjectAccessReviewStatus"},"io.k8s.api.authorization.v1.SubjectRulesReviewStatus":{"description":"SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.","type":"object","required":["resourceRules","nonResourceRules","incomplete"],"properties":{"evaluationError":{"description":"EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.","type":"string"},"incomplete":{"description":"Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.","type":"boolean"},"nonResourceRules":{"description":"NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.authorization.v1.NonResourceRule"},"x-kubernetes-list-type":"atomic"},"resourceRules":{"description":"ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.authorization.v1.ResourceRule"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.authorization.v1.SubjectRulesReviewStatus"},"io.k8s.api.autoscaling.v1.CrossVersionObjectReference":{"description":"CrossVersionObjectReference contains enough information to let you identify the referred resource.","type":"object","required":["kind","name"],"properties":{"apiVersion":{"description":"apiVersion is the API version of the referent","type":"string"},"kind":{"description":"kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.autoscaling.v1.CrossVersionObjectReference"},"io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler":{"description":"configuration of a horizontal pod autoscaler.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.","$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerSpec"},"status":{"description":"status is the current information about the autoscaler.","$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerStatus"}},"x-kubernetes-group-version-kind":[{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}],"title":"io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"},"io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerList":{"description":"list of horizontal pod autoscaler objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of horizontal pod autoscaler objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"autoscaling","kind":"HorizontalPodAutoscalerList","version":"v1"}],"title":"io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerList"},"io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerSpec":{"description":"specification of a horizontal pod autoscaler.","type":"object","required":["scaleTargetRef","maxReplicas"],"properties":{"maxReplicas":{"description":"maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.","type":"integer","format":"int32"},"minReplicas":{"description":"minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the alpha feature gate HPAScaleToZero is enabled and at least one Object or External metric is configured.  Scaling is active as long as at least one metric value is available.","type":"integer","format":"int32"},"scaleTargetRef":{"description":"reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption and will set the desired number of pods by using its Scale subresource.","$ref":"#/definitions/io.k8s.api.autoscaling.v1.CrossVersionObjectReference"},"targetCPUUtilizationPercentage":{"description":"targetCPUUtilizationPercentage is the target average CPU utilization (represented as a percentage of requested CPU) over all the pods; if not specified the default autoscaling policy will be used.","type":"integer","format":"int32"}},"title":"io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerSpec"},"io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerStatus":{"description":"current status of a horizontal pod autoscaler","type":"object","required":["currentReplicas","desiredReplicas"],"properties":{"currentCPUUtilizationPercentage":{"description":"currentCPUUtilizationPercentage is the current average CPU utilization over all pods, represented as a percentage of requested CPU, e.g. 70 means that an average pod is using now 70% of its requested CPU.","type":"integer","format":"int32"},"currentReplicas":{"description":"currentReplicas is the current number of replicas of pods managed by this autoscaler.","type":"integer","format":"int32"},"desiredReplicas":{"description":"desiredReplicas is the  desired number of replicas of pods managed by this autoscaler.","type":"integer","format":"int32"},"lastScaleTime":{"description":"lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods; used by the autoscaler to control how often the number of pods is changed.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"observedGeneration":{"description":"observedGeneration is the most recent generation observed by this autoscaler.","type":"integer","format":"int64"}},"title":"io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerStatus"},"io.k8s.api.autoscaling.v1.Scale":{"description":"Scale represents a scaling request for a resource.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.","$ref":"#/definitions/io.k8s.api.autoscaling.v1.ScaleSpec"},"status":{"description":"status is the current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.","$ref":"#/definitions/io.k8s.api.autoscaling.v1.ScaleStatus"}},"x-kubernetes-group-version-kind":[{"group":"autoscaling","kind":"Scale","version":"v1"}],"title":"io.k8s.api.autoscaling.v1.Scale"},"io.k8s.api.autoscaling.v1.ScaleSpec":{"description":"ScaleSpec describes the attributes of a scale subresource.","type":"object","properties":{"replicas":{"description":"replicas is the desired number of instances for the scaled object.","type":"integer","format":"int32"}},"title":"io.k8s.api.autoscaling.v1.ScaleSpec"},"io.k8s.api.autoscaling.v1.ScaleStatus":{"description":"ScaleStatus represents the current status of a scale subresource.","type":"object","required":["replicas"],"properties":{"replicas":{"description":"replicas is the actual number of observed instances of the scaled object.","type":"integer","format":"int32"},"selector":{"description":"selector is the label query over pods that should match the replicas count. This is same as the label selector but in the string format to avoid introspection by clients. The string will be in the same format as the query-param syntax. More info about label selectors: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/","type":"string"}},"title":"io.k8s.api.autoscaling.v1.ScaleStatus"},"io.k8s.api.autoscaling.v2.ContainerResourceMetricSource":{"description":"ContainerResourceMetricSource indicates how to scale on a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory).  The values will be averaged together before being compared to the target.  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.  Only one \"target\" type should be set.","type":"object","required":["name","target","container"],"properties":{"container":{"description":"container is the name of the container in the pods of the scaling target","type":"string"},"name":{"description":"name is the name of the resource in question.","type":"string"},"target":{"description":"target specifies the target value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricTarget"}},"title":"io.k8s.api.autoscaling.v2.ContainerResourceMetricSource"},"io.k8s.api.autoscaling.v2.ContainerResourceMetricStatus":{"description":"ContainerResourceMetricStatus indicates the current value of a resource metric known to Kubernetes, as specified in requests and limits, describing a single container in each pod in the current scale target (e.g. CPU or memory).  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.","type":"object","required":["name","current","container"],"properties":{"container":{"description":"container is the name of the container in the pods of the scaling target","type":"string"},"current":{"description":"current contains the current value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricValueStatus"},"name":{"description":"name is the name of the resource in question.","type":"string"}},"title":"io.k8s.api.autoscaling.v2.ContainerResourceMetricStatus"},"io.k8s.api.autoscaling.v2.CrossVersionObjectReference":{"description":"CrossVersionObjectReference contains enough information to let you identify the referred resource.","type":"object","required":["kind","name"],"properties":{"apiVersion":{"description":"apiVersion is the API version of the referent","type":"string"},"kind":{"description":"kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"title":"io.k8s.api.autoscaling.v2.CrossVersionObjectReference"},"io.k8s.api.autoscaling.v2.ExternalMetricSource":{"description":"ExternalMetricSource indicates how to scale on a metric not associated with any Kubernetes object (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).","type":"object","required":["metric","target"],"properties":{"metric":{"description":"metric identifies the target metric by name and selector","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricIdentifier"},"target":{"description":"target specifies the target value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricTarget"}},"title":"io.k8s.api.autoscaling.v2.ExternalMetricSource"},"io.k8s.api.autoscaling.v2.ExternalMetricStatus":{"description":"ExternalMetricStatus indicates the current value of a global metric not associated with any Kubernetes object.","type":"object","required":["metric","current"],"properties":{"current":{"description":"current contains the current value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricValueStatus"},"metric":{"description":"metric identifies the target metric by name and selector","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricIdentifier"}},"title":"io.k8s.api.autoscaling.v2.ExternalMetricStatus"},"io.k8s.api.autoscaling.v2.HPAScalingPolicy":{"description":"HPAScalingPolicy is a single policy which must hold true for a specified past interval.","type":"object","required":["type","value","periodSeconds"],"properties":{"periodSeconds":{"description":"periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).","type":"integer","format":"int32"},"type":{"description":"type is used to specify the scaling policy.","type":"string"},"value":{"description":"value contains the amount of change which is permitted by the policy. It must be greater than zero","type":"integer","format":"int32"}},"title":"io.k8s.api.autoscaling.v2.HPAScalingPolicy"},"io.k8s.api.autoscaling.v2.HPAScalingRules":{"description":"HPAScalingRules configures the scaling behavior for one direction via scaling Policy Rules and a configurable metric tolerance.\n\nScaling Policy Rules are applied after calculating DesiredReplicas from metrics for the HPA. They can limit the scaling velocity by specifying scaling policies. They can prevent flapping by specifying the stabilization window, so that the number of replicas is not set instantly, instead, the safest value from the stabilization window is chosen.\n\nThe tolerance is applied to the metric values and prevents scaling too eagerly for small metric variations. (Note that setting a tolerance requires the beta HPAConfigurableTolerance feature gate to be enabled.)","type":"object","properties":{"policies":{"description":"policies is a list of potential scaling polices which can be used during scaling. If not set, use the default values: - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window. - For scale down: allow all pods to be removed in a 15s window.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HPAScalingPolicy"},"x-kubernetes-list-type":"atomic"},"selectPolicy":{"description":"selectPolicy is used to specify which policy should be used. If not set, the default value Max is used.","type":"string"},"stabilizationWindowSeconds":{"description":"stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).","type":"integer","format":"int32"},"tolerance":{"description":"tolerance is the tolerance on the ratio between the current and desired metric value under which no updates are made to the desired number of replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not set, the default cluster-wide tolerance is applied (by default 10%).\n\nFor example, if autoscaling is configured with a memory consumption target of 100Mi, and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi.\n\nThis is an beta field and requires the HPAConfigurableTolerance feature gate to be enabled.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"title":"io.k8s.api.autoscaling.v2.HPAScalingRules"},"io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler":{"description":"HorizontalPodAutoscaler is the configuration for a horizontal pod autoscaler, which automatically manages the replica count of any resource implementing the scale subresource based on the metrics specified.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"metadata is the standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec is the specification for the behaviour of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerSpec"},"status":{"description":"status is the current information about the autoscaler.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerStatus"}},"x-kubernetes-group-version-kind":[{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}],"title":"io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"},"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerBehavior":{"description":"HorizontalPodAutoscalerBehavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively).","type":"object","properties":{"scaleDown":{"description":"scaleDown is scaling policy for scaling Down. If not set, the default value is to allow to scale down to minReplicas pods, with a 300 second stabilization window (i.e., the highest recommendation for the last 300sec is used).","$ref":"#/definitions/io.k8s.api.autoscaling.v2.HPAScalingRules"},"scaleUp":{"description":"scaleUp is scaling policy for scaling Up. If not set, the default value is the higher of:\n  * increase no more than 4 pods per 60 seconds\n  * double the number of pods per 60 seconds\nNo stabilization is used.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.HPAScalingRules"}},"title":"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerBehavior"},"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerCondition":{"description":"HorizontalPodAutoscalerCondition describes the state of a HorizontalPodAutoscaler at a certain point.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"message is a human-readable explanation containing details about the transition","type":"string"},"reason":{"description":"reason is the reason for the condition's last transition.","type":"string"},"status":{"description":"status is the status of the condition (True, False, Unknown)","type":"string"},"type":{"description":"type describes the current condition","type":"string"}},"title":"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerCondition"},"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerList":{"description":"HorizontalPodAutoscalerList is a list of horizontal pod autoscaler objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of horizontal pod autoscaler objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"metadata is the standard list metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"autoscaling","kind":"HorizontalPodAutoscalerList","version":"v2"}],"title":"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerList"},"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerSpec":{"description":"HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.","type":"object","required":["scaleTargetRef","maxReplicas"],"properties":{"behavior":{"description":"behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). If not set, the default HPAScalingRules for scale up and scale down are used.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerBehavior"},"maxReplicas":{"description":"maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less that minReplicas.","type":"integer","format":"int32"},"metrics":{"description":"metrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used).  The desired replica count is calculated multiplying the ratio between the target value and the current value by the current number of pods.  Ergo, metrics used must decrease as the pod count is increased, and vice-versa.  See the individual metric source types for more information about how each type of metric must respond. If not set, the default metric will be set to 80% average CPU utilization.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricSpec"},"x-kubernetes-list-type":"atomic"},"minReplicas":{"description":"minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the alpha feature gate HPAScaleToZero is enabled and at least one Object or External metric is configured.  Scaling is active as long as at least one metric value is available.","type":"integer","format":"int32"},"scaleTargetRef":{"description":"scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics should be collected, as well as to actually change the replica count.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.CrossVersionObjectReference"}},"title":"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerSpec"},"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerStatus":{"description":"HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.","type":"object","required":["desiredReplicas"],"properties":{"conditions":{"description":"conditions is the set of conditions required for this autoscaler to scale its target, and indicates whether or not those conditions are met.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"currentMetrics":{"description":"currentMetrics is the last read state of the metrics used by this autoscaler.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricStatus"},"x-kubernetes-list-type":"atomic"},"currentReplicas":{"description":"currentReplicas is current number of replicas of pods managed by this autoscaler, as last seen by the autoscaler.","type":"integer","format":"int32"},"desiredReplicas":{"description":"desiredReplicas is the desired number of replicas of pods managed by this autoscaler, as last calculated by the autoscaler.","type":"integer","format":"int32"},"lastScaleTime":{"description":"lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods, used by the autoscaler to control how often the number of pods is changed.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"observedGeneration":{"description":"observedGeneration is the most recent generation observed by this autoscaler.","type":"integer","format":"int64"}},"title":"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerStatus"},"io.k8s.api.autoscaling.v2.MetricIdentifier":{"description":"MetricIdentifier defines the name and optionally selector for a metric","type":"object","required":["name"],"properties":{"name":{"description":"name is the name of the given metric","type":"string"},"selector":{"description":"selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"}},"title":"io.k8s.api.autoscaling.v2.MetricIdentifier"},"io.k8s.api.autoscaling.v2.MetricSpec":{"description":"MetricSpec specifies how to scale based on a single metric (only `type` and one other matching field should be set at once).","type":"object","required":["type"],"properties":{"containerResource":{"description":"containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ContainerResourceMetricSource"},"external":{"description":"external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ExternalMetricSource"},"object":{"description":"object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ObjectMetricSource"},"pods":{"description":"pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.PodsMetricSource"},"resource":{"description":"resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ResourceMetricSource"},"type":{"description":"type is the type of metric source.  It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.","type":"string"}},"title":"io.k8s.api.autoscaling.v2.MetricSpec"},"io.k8s.api.autoscaling.v2.MetricStatus":{"description":"MetricStatus describes the last-read state of a single metric.","type":"object","required":["type"],"properties":{"containerResource":{"description":"container resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ContainerResourceMetricStatus"},"external":{"description":"external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ExternalMetricStatus"},"object":{"description":"object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ObjectMetricStatus"},"pods":{"description":"pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.PodsMetricStatus"},"resource":{"description":"resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ResourceMetricStatus"},"type":{"description":"type is the type of metric source.  It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.","type":"string"}},"title":"io.k8s.api.autoscaling.v2.MetricStatus"},"io.k8s.api.autoscaling.v2.MetricTarget":{"description":"MetricTarget defines the target value, average value, or average utilization of a specific metric","type":"object","required":["type"],"properties":{"averageUtilization":{"description":"averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type","type":"integer","format":"int32"},"averageValue":{"description":"averageValue is the target value of the average of the metric across all relevant pods (as a quantity)","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"type":{"description":"type represents whether the metric type is Utilization, Value, or AverageValue","type":"string"},"value":{"description":"value is the target value of the metric (as a quantity).","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"title":"io.k8s.api.autoscaling.v2.MetricTarget"},"io.k8s.api.autoscaling.v2.MetricValueStatus":{"description":"MetricValueStatus holds the current value for a metric","type":"object","properties":{"averageUtilization":{"description":"currentAverageUtilization is the current value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.","type":"integer","format":"int32"},"averageValue":{"description":"averageValue is the current value of the average of the metric across all relevant pods (as a quantity)","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"value":{"description":"value is the current value of the metric (as a quantity).","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"title":"io.k8s.api.autoscaling.v2.MetricValueStatus"},"io.k8s.api.autoscaling.v2.ObjectMetricSource":{"description":"ObjectMetricSource indicates how to scale on a metric describing a kubernetes object (for example, hits-per-second on an Ingress object).","type":"object","required":["describedObject","target","metric"],"properties":{"describedObject":{"description":"describedObject specifies the descriptions of a object,such as kind,name apiVersion","$ref":"#/definitions/io.k8s.api.autoscaling.v2.CrossVersionObjectReference"},"metric":{"description":"metric identifies the target metric by name and selector","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricIdentifier"},"target":{"description":"target specifies the target value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricTarget"}},"title":"io.k8s.api.autoscaling.v2.ObjectMetricSource"},"io.k8s.api.autoscaling.v2.ObjectMetricStatus":{"description":"ObjectMetricStatus indicates the current value of a metric describing a kubernetes object (for example, hits-per-second on an Ingress object).","type":"object","required":["metric","current","describedObject"],"properties":{"current":{"description":"current contains the current value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricValueStatus"},"describedObject":{"description":"DescribedObject specifies the descriptions of a object,such as kind,name apiVersion","$ref":"#/definitions/io.k8s.api.autoscaling.v2.CrossVersionObjectReference"},"metric":{"description":"metric identifies the target metric by name and selector","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricIdentifier"}},"title":"io.k8s.api.autoscaling.v2.ObjectMetricStatus"},"io.k8s.api.autoscaling.v2.PodsMetricSource":{"description":"PodsMetricSource indicates how to scale on a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value.","type":"object","required":["metric","target"],"properties":{"metric":{"description":"metric identifies the target metric by name and selector","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricIdentifier"},"target":{"description":"target specifies the target value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricTarget"}},"title":"io.k8s.api.autoscaling.v2.PodsMetricSource"},"io.k8s.api.autoscaling.v2.PodsMetricStatus":{"description":"PodsMetricStatus indicates the current value of a metric describing each pod in the current scale target (for example, transactions-processed-per-second).","type":"object","required":["metric","current"],"properties":{"current":{"description":"current contains the current value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricValueStatus"},"metric":{"description":"metric identifies the target metric by name and selector","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricIdentifier"}},"title":"io.k8s.api.autoscaling.v2.PodsMetricStatus"},"io.k8s.api.autoscaling.v2.ResourceMetricSource":{"description":"ResourceMetricSource indicates how to scale on a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory).  The values will be averaged together before being compared to the target.  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.  Only one \"target\" type should be set.","type":"object","required":["name","target"],"properties":{"name":{"description":"name is the name of the resource in question.","type":"string"},"target":{"description":"target specifies the target value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricTarget"}},"title":"io.k8s.api.autoscaling.v2.ResourceMetricSource"},"io.k8s.api.autoscaling.v2.ResourceMetricStatus":{"description":"ResourceMetricStatus indicates the current value of a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory).  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.","type":"object","required":["name","current"],"properties":{"current":{"description":"current contains the current value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricValueStatus"},"name":{"description":"name is the name of the resource in question.","type":"string"}},"title":"io.k8s.api.autoscaling.v2.ResourceMetricStatus"},"io.k8s.api.batch.v1.CronJob":{"description":"CronJob represents the configuration of a single cron job.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of a cron job, including the schedule. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.batch.v1.CronJobSpec"},"status":{"description":"Current status of a cron job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.batch.v1.CronJobStatus"}},"x-kubernetes-group-version-kind":[{"group":"batch","kind":"CronJob","version":"v1"}],"title":"io.k8s.api.batch.v1.CronJob"},"io.k8s.api.batch.v1.CronJobList":{"description":"CronJobList is a collection of cron jobs.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of CronJobs.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"batch","kind":"CronJobList","version":"v1"}],"title":"io.k8s.api.batch.v1.CronJobList"},"io.k8s.api.batch.v1.CronJobSpec":{"description":"CronJobSpec describes how the job execution will look like and when it will actually run.","type":"object","required":["schedule","jobTemplate"],"properties":{"concurrencyPolicy":{"description":"Specifies how to treat concurrent executions of a Job. Valid values are:\n\n- \"Allow\" (default): allows CronJobs to run concurrently; - \"Forbid\": forbids concurrent runs, skipping next run if previous run hasn't finished yet; - \"Replace\": cancels currently running job and replaces it with a new one\n\nPossible enum values:\n - `\"Allow\"` allows CronJobs to run concurrently.\n - `\"Forbid\"` forbids concurrent runs, skipping next run if previous hasn't finished yet.\n - `\"Replace\"` cancels currently running job and replaces it with a new one.","type":"string","enum":["Allow","Forbid","Replace"]},"failedJobsHistoryLimit":{"description":"The number of failed finished jobs to retain. Value must be non-negative integer. Defaults to 1.","type":"integer","format":"int32"},"jobTemplate":{"description":"Specifies the job that will be created when executing a CronJob.","$ref":"#/definitions/io.k8s.api.batch.v1.JobTemplateSpec"},"schedule":{"description":"The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.","type":"string"},"startingDeadlineSeconds":{"description":"Optional deadline in seconds for starting the job if it misses scheduled time for any reason.  Missed jobs executions will be counted as failed ones.","type":"integer","format":"int64"},"successfulJobsHistoryLimit":{"description":"The number of successful finished jobs to retain. Value must be non-negative integer. Defaults to 3.","type":"integer","format":"int32"},"suspend":{"description":"This flag tells the controller to suspend subsequent executions, it does not apply to already started executions.  Defaults to false.","type":"boolean"},"timeZone":{"description":"The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified, this will default to the time zone of the kube-controller-manager process. The set of valid time zone names and the time zone offset is loaded from the system-wide time zone database by the API server during CronJob validation and the controller manager during execution. If no system-wide time zone database can be found a bundled version of the database is used instead. If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host configuration, the controller will stop creating new new Jobs and will create a system event with the reason UnknownTimeZone. More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones","type":"string"}},"title":"io.k8s.api.batch.v1.CronJobSpec"},"io.k8s.api.batch.v1.CronJobStatus":{"description":"CronJobStatus represents the current state of a cron job.","type":"object","properties":{"active":{"description":"A list of pointers to currently running jobs.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"x-kubernetes-list-type":"atomic"},"lastScheduleTime":{"description":"Information when was the last time the job was successfully scheduled.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"lastSuccessfulTime":{"description":"Information when was the last time the job successfully completed.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"}},"title":"io.k8s.api.batch.v1.CronJobStatus"},"io.k8s.api.batch.v1.Job":{"description":"Job represents the configuration of a single job.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of a job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.batch.v1.JobSpec"},"status":{"description":"Current status of a job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.batch.v1.JobStatus"}},"x-kubernetes-group-version-kind":[{"group":"batch","kind":"Job","version":"v1"}],"title":"io.k8s.api.batch.v1.Job"},"io.k8s.api.batch.v1.JobCondition":{"description":"JobCondition describes current state of a job.","type":"object","required":["type","status"],"properties":{"lastProbeTime":{"description":"Last time the condition was checked.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"lastTransitionTime":{"description":"Last time the condition transit from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"Human readable message indicating details about last transition.","type":"string"},"reason":{"description":"(brief) reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of job condition, Complete or Failed.","type":"string"}},"title":"io.k8s.api.batch.v1.JobCondition"},"io.k8s.api.batch.v1.JobList":{"description":"JobList is a collection of jobs.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of Jobs.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"batch","kind":"JobList","version":"v1"}],"title":"io.k8s.api.batch.v1.JobList"},"io.k8s.api.batch.v1.JobSpec":{"description":"JobSpec describes how the job execution will look like.","type":"object","required":["template"],"properties":{"activeDeadlineSeconds":{"description":"Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer. If a Job is suspended (at creation or through an update), this timer will effectively be stopped and reset when the Job is resumed again.","type":"integer","format":"int64"},"backoffLimit":{"description":"Specifies the number of retries before marking this job failed. Defaults to 6, unless backoffLimitPerIndex (only Indexed Job) is specified. When backoffLimitPerIndex is specified, backoffLimit defaults to 2147483647.","type":"integer","format":"int32"},"backoffLimitPerIndex":{"description":"Specifies the limit for the number of retries within an index before marking this index as failed. When enabled the number of failures per index is kept in the pod's batch.kubernetes.io/job-index-failure-count annotation. It can only be set when Job's completionMode=Indexed, and the Pod's restart policy is Never. The field is immutable.","type":"integer","format":"int32"},"completionMode":{"description":"completionMode specifies how Pod completions are tracked. It can be `NonIndexed` (default) or `Indexed`.\n\n`NonIndexed` means that the Job is considered complete when there have been .spec.completions successfully completed Pods. Each Pod completion is homologous to each other.\n\n`Indexed` means that the Pods of a Job get an associated completion index from 0 to (.spec.completions - 1), available in the annotation batch.kubernetes.io/job-completion-index. The Job is considered complete when there is one successfully completed Pod for each index. When value is `Indexed`, .spec.completions must be specified and `.spec.parallelism` must be less than or equal to 10^5. In addition, The Pod name takes the form `$(job-name)-$(index)-$(random-string)`, the Pod hostname takes the form `$(job-name)-$(index)`.\n\nMore completion modes can be added in the future. If the Job controller observes a mode that it doesn't recognize, which is possible during upgrades due to version skew, the controller skips updates for the Job.\n\nPossible enum values:\n - `\"Indexed\"` is a Job completion mode. In this mode, the Pods of a Job get an associated completion index from 0 to (.spec.completions - 1). The Job is considered complete when a Pod completes for each completion index.\n - `\"NonIndexed\"` is a Job completion mode. In this mode, the Job is considered complete when there have been .spec.completions successfully completed Pods. Pod completions are homologous to each other.","type":"string","enum":["Indexed","NonIndexed"]},"completions":{"description":"Specifies the desired number of successfully finished pods the job should be run with.  Setting to null means that the success of any pod signals the success of all pods, and allows parallelism to have any positive value.  Setting to 1 means that parallelism is limited to 1 and the success of that pod signals the success of the job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/","type":"integer","format":"int32"},"managedBy":{"description":"ManagedBy field indicates the controller that manages a Job. The k8s Job controller reconciles jobs which don't have this field at all or the field value is the reserved string `kubernetes.io/job-controller`, but skips reconciling Jobs with a custom value for this field. The value must be a valid domain-prefixed path (e.g. acme.io/foo) - all characters before the first \"/\" must be a valid subdomain as defined by RFC 1123. All characters trailing the first \"/\" must be valid HTTP Path characters as defined by RFC 3986. The value cannot exceed 63 characters. This field is immutable.","type":"string"},"manualSelector":{"description":"manualSelector controls generation of pod labels and pod selectors. Leave `manualSelector` unset unless you are certain what you are doing. When false or unset, the system pick labels unique to this job and appends those labels to the pod template.  When true, the user is responsible for picking unique labels and specifying the selector.  Failure to pick a unique label may cause this and other jobs to not function correctly.  However, You may see `manualSelector=true` in jobs that were created with the old `extensions/v1beta1` API. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector","type":"boolean"},"maxFailedIndexes":{"description":"Specifies the maximal number of failed indexes before marking the Job as failed, when backoffLimitPerIndex is set. Once the number of failed indexes exceeds this number the entire Job is marked as Failed and its execution is terminated. When left as null the job continues execution of all of its indexes and is marked with the `Complete` Job condition. It can only be specified when backoffLimitPerIndex is set. It can be null or up to completions. It is required and must be less than or equal to 10^4 when is completions greater than 10^5.","type":"integer","format":"int32"},"parallelism":{"description":"Specifies the maximum desired number of pods the job should run at any given time. The actual number of pods running in steady state will be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism), i.e. when the work left to do is less than max parallelism. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/","type":"integer","format":"int32"},"podFailurePolicy":{"description":"Specifies the policy of handling failed pods. In particular, it allows to specify the set of actions and conditions which need to be satisfied to take the associated action. If empty, the default behaviour applies - the counter of failed pods, represented by the jobs's .status.failed field, is incremented and it is checked against the backoffLimit. This field cannot be used in combination with restartPolicy=OnFailure.","$ref":"#/definitions/io.k8s.api.batch.v1.PodFailurePolicy"},"podReplacementPolicy":{"description":"podReplacementPolicy specifies when to create replacement Pods. Possible values are: - TerminatingOrFailed means that we recreate pods\n  when they are terminating (has a metadata.deletionTimestamp) or failed.\n- Failed means to wait until a previously created Pod is fully terminated (has phase\n  Failed or Succeeded) before creating a replacement Pod.\n\nWhen using podFailurePolicy, Failed is the the only allowed value. TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use.\n\nPossible enum values:\n - `\"Failed\"` means to wait until a previously created Pod is fully terminated (has phase Failed or Succeeded) before creating a replacement Pod.\n - `\"TerminatingOrFailed\"` means that we recreate pods when they are terminating (has a metadata.deletionTimestamp) or failed.","type":"string","enum":["Failed","TerminatingOrFailed"]},"selector":{"description":"A label query over pods that should match the pod count. Normally, the system sets this field for you. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"successPolicy":{"description":"successPolicy specifies the policy when the Job can be declared as succeeded. If empty, the default behavior applies - the Job is declared as succeeded only when the number of succeeded pods equals to the completions. When the field is specified, it must be immutable and works only for the Indexed Jobs. Once the Job meets the SuccessPolicy, the lingering pods are terminated.","$ref":"#/definitions/io.k8s.api.batch.v1.SuccessPolicy"},"suspend":{"description":"suspend specifies whether the Job controller should create Pods or not. If a Job is created with suspend set to true, no Pods are created by the Job controller. If a Job is suspended after creation (i.e. the flag goes from false to true), the Job controller will delete all active Pods associated with this Job. Users must design their workload to gracefully handle this. Suspending a Job will reset the StartTime field of the Job, effectively resetting the ActiveDeadlineSeconds timer too. Defaults to false.","type":"boolean"},"template":{"description":"Describes the pod that will be created when executing a job. The only allowed template.spec.restartPolicy values are \"Never\" or \"OnFailure\". More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/","$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec"},"ttlSecondsAfterFinished":{"description":"ttlSecondsAfterFinished limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted. When the Job is being deleted, its lifecycle guarantees (e.g. finalizers) will be honored. If this field is unset, the Job won't be automatically deleted. If this field is set to zero, the Job becomes eligible to be deleted immediately after it finishes.","type":"integer","format":"int32"}},"title":"io.k8s.api.batch.v1.JobSpec"},"io.k8s.api.batch.v1.JobStatus":{"description":"JobStatus represents the current state of a Job.","type":"object","properties":{"active":{"description":"The number of pending and running pods which are not terminating (without a deletionTimestamp). The value is zero for finished jobs.","type":"integer","format":"int32"},"completedIndexes":{"description":"completedIndexes holds the completed indexes when .spec.completionMode = \"Indexed\" in a text format. The indexes are represented as decimal integers separated by commas. The numbers are listed in increasing order. Three or more consecutive numbers are compressed and represented by the first and last element of the series, separated by a hyphen. For example, if the completed indexes are 1, 3, 4, 5 and 7, they are represented as \"1,3-5,7\".","type":"string"},"completionTime":{"description":"Represents time when the job was completed. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC. The completion time is set when the job finishes successfully, and only then. The value cannot be updated or removed. The value indicates the same or later point in time as the startTime field.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"conditions":{"description":"The latest available observations of an object's current state. When a Job fails, one of the conditions will have type \"Failed\" and status true. When a Job is suspended, one of the conditions will have type \"Suspended\" and status true; when the Job is resumed, the status of this condition will become false. When a Job is completed, one of the conditions will have type \"Complete\" and status true.\n\nA job is considered finished when it is in a terminal condition, either \"Complete\" or \"Failed\". A Job cannot have both the \"Complete\" and \"Failed\" conditions. Additionally, it cannot be in the \"Complete\" and \"FailureTarget\" conditions. The \"Complete\", \"Failed\" and \"FailureTarget\" conditions cannot be disabled.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/","type":"array","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.JobCondition"},"x-kubernetes-list-type":"atomic","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"failed":{"description":"The number of pods which reached phase Failed. The value increases monotonically.","type":"integer","format":"int32"},"failedIndexes":{"description":"FailedIndexes holds the failed indexes when spec.backoffLimitPerIndex is set. The indexes are represented in the text format analogous as for the `completedIndexes` field, ie. they are kept as decimal integers separated by commas. The numbers are listed in increasing order. Three or more consecutive numbers are compressed and represented by the first and last element of the series, separated by a hyphen. For example, if the failed indexes are 1, 3, 4, 5 and 7, they are represented as \"1,3-5,7\". The set of failed indexes cannot overlap with the set of completed indexes.","type":"string"},"ready":{"description":"The number of active pods which have a Ready condition and are not terminating (without a deletionTimestamp).","type":"integer","format":"int32"},"startTime":{"description":"Represents time when the job controller started processing a job. When a Job is created in the suspended state, this field is not set until the first time it is resumed. This field is reset every time a Job is resumed from suspension. It is represented in RFC3339 form and is in UTC.\n\nOnce set, the field can only be removed when the job is suspended. The field cannot be modified while the job is unsuspended or finished.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"succeeded":{"description":"The number of pods which reached phase Succeeded. The value increases monotonically for a given spec. However, it may decrease in reaction to scale down of elastic indexed jobs.","type":"integer","format":"int32"},"terminating":{"description":"The number of pods which are terminating (in phase Pending or Running and have a deletionTimestamp).\n\nThis field is beta-level. The job controller populates the field when the feature gate JobPodReplacementPolicy is enabled (enabled by default).","type":"integer","format":"int32"},"uncountedTerminatedPods":{"description":"uncountedTerminatedPods holds the UIDs of Pods that have terminated but the job controller hasn't yet accounted for in the status counters.\n\nThe job controller creates pods with a finalizer. When a pod terminates (succeeded or failed), the controller does three steps to account for it in the job status:\n\n1. Add the pod UID to the arrays in this field. 2. Remove the pod finalizer. 3. Remove the pod UID from the arrays while increasing the corresponding\n    counter.\n\nOld jobs might not be tracked using this field, in which case the field remains null. The structure is empty for finished jobs.","$ref":"#/definitions/io.k8s.api.batch.v1.UncountedTerminatedPods"}},"title":"io.k8s.api.batch.v1.JobStatus"},"io.k8s.api.batch.v1.JobTemplateSpec":{"description":"JobTemplateSpec describes the data a Job should have when created from a template","type":"object","properties":{"metadata":{"description":"Standard object's metadata of the jobs created from this template. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.batch.v1.JobSpec"}},"title":"io.k8s.api.batch.v1.JobTemplateSpec"},"io.k8s.api.batch.v1.PodFailurePolicy":{"description":"PodFailurePolicy describes how failed pods influence the backoffLimit.","type":"object","required":["rules"],"properties":{"rules":{"description":"A list of pod failure policy rules. The rules are evaluated in order. Once a rule matches a Pod failure, the remaining of the rules are ignored. When no rule matches the Pod failure, the default handling applies - the counter of pod failures is incremented and it is checked against the backoffLimit. At most 20 elements are allowed.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.PodFailurePolicyRule"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.batch.v1.PodFailurePolicy"},"io.k8s.api.batch.v1.PodFailurePolicyOnExitCodesRequirement":{"description":"PodFailurePolicyOnExitCodesRequirement describes the requirement for handling a failed pod based on its container exit codes. In particular, it lookups the .state.terminated.exitCode for each app container and init container status, represented by the .status.containerStatuses and .status.initContainerStatuses fields in the Pod status, respectively. Containers completed with success (exit code 0) are excluded from the requirement check.","type":"object","required":["operator","values"],"properties":{"containerName":{"description":"Restricts the check for exit codes to the container with the specified name. When null, the rule applies to all containers. When specified, it should match one the container or initContainer names in the pod template.","type":"string"},"operator":{"description":"Represents the relationship between the container exit code(s) and the specified values. Containers completed with success (exit code 0) are excluded from the requirement check. Possible values are:\n\n- In: the requirement is satisfied if at least one container exit code\n  (might be multiple if there are multiple containers not restricted\n  by the 'containerName' field) is in the set of specified values.\n- NotIn: the requirement is satisfied if at least one container exit code\n  (might be multiple if there are multiple containers not restricted\n  by the 'containerName' field) is not in the set of specified values.\nAdditional values are considered to be added in the future. Clients should react to an unknown operator by assuming the requirement is not satisfied.\n\nPossible enum values:\n - `\"In\"`\n - `\"NotIn\"`","type":"string","enum":["In","NotIn"]},"values":{"description":"Specifies the set of values. Each returned container exit code (might be multiple in case of multiple containers) is checked against this set of values with respect to the operator. The list of values must be ordered and must not contain duplicates. Value '0' cannot be used for the In operator. At least one element is required. At most 255 elements are allowed.","type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}},"title":"io.k8s.api.batch.v1.PodFailurePolicyOnExitCodesRequirement"},"io.k8s.api.batch.v1.PodFailurePolicyOnPodConditionsPattern":{"description":"PodFailurePolicyOnPodConditionsPattern describes a pattern for matching an actual pod condition type.","type":"object","required":["type"],"properties":{"status":{"description":"Specifies the required Pod condition status. To match a pod condition it is required that the specified status equals the pod condition status. Defaults to True.","type":"string"},"type":{"description":"Specifies the required Pod condition type. To match a pod condition it is required that specified type equals the pod condition type.","type":"string"}},"title":"io.k8s.api.batch.v1.PodFailurePolicyOnPodConditionsPattern"},"io.k8s.api.batch.v1.PodFailurePolicyRule":{"description":"PodFailurePolicyRule describes how a pod failure is handled when the requirements are met. One of onExitCodes and onPodConditions, but not both, can be used in each rule.","type":"object","required":["action"],"properties":{"action":{"description":"Specifies the action taken on a pod failure when the requirements are satisfied. Possible values are:\n\n- FailJob: indicates that the pod's job is marked as Failed and all\n  running pods are terminated.\n- FailIndex: indicates that the pod's index is marked as Failed and will\n  not be restarted.\n- Ignore: indicates that the counter towards the .backoffLimit is not\n  incremented and a replacement pod is created.\n- Count: indicates that the pod is handled in the default way - the\n  counter towards the .backoffLimit is incremented.\nAdditional values are considered to be added in the future. Clients should react to an unknown action by skipping the rule.\n\nPossible enum values:\n - `\"Count\"` This is an action which might be taken on a pod failure - the pod failure is handled in the default way - the counter towards .backoffLimit, represented by the job's .status.failed field, is incremented.\n - `\"FailIndex\"` This is an action which might be taken on a pod failure - mark the Job's index as failed to avoid restarts within this index. This action can only be used when backoffLimitPerIndex is set.\n - `\"FailJob\"` This is an action which might be taken on a pod failure - mark the pod's job as Failed and terminate all running pods.\n - `\"Ignore\"` This is an action which might be taken on a pod failure - the counter towards .backoffLimit, represented by the job's .status.failed field, is not incremented and a replacement pod is created.","type":"string","enum":["Count","FailIndex","FailJob","Ignore"]},"onExitCodes":{"description":"Represents the requirement on the container exit codes.","$ref":"#/definitions/io.k8s.api.batch.v1.PodFailurePolicyOnExitCodesRequirement"},"onPodConditions":{"description":"Represents the requirement on the pod conditions. The requirement is represented as a list of pod condition patterns. The requirement is satisfied if at least one pattern matches an actual pod condition. At most 20 elements are allowed.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.PodFailurePolicyOnPodConditionsPattern"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.batch.v1.PodFailurePolicyRule"},"io.k8s.api.batch.v1.SuccessPolicy":{"description":"SuccessPolicy describes when a Job can be declared as succeeded based on the success of some indexes.","type":"object","required":["rules"],"properties":{"rules":{"description":"rules represents the list of alternative rules for the declaring the Jobs as successful before `.status.succeeded >= .spec.completions`. Once any of the rules are met, the \"SuccessCriteriaMet\" condition is added, and the lingering pods are removed. The terminal state for such a Job has the \"Complete\" condition. Additionally, these rules are evaluated in order; Once the Job meets one of the rules, other rules are ignored. At most 20 elements are allowed.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.SuccessPolicyRule"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.batch.v1.SuccessPolicy"},"io.k8s.api.batch.v1.SuccessPolicyRule":{"description":"SuccessPolicyRule describes rule for declaring a Job as succeeded. Each rule must have at least one of the \"succeededIndexes\" or \"succeededCount\" specified.","type":"object","properties":{"succeededCount":{"description":"succeededCount specifies the minimal required size of the actual set of the succeeded indexes for the Job. When succeededCount is used along with succeededIndexes, the check is constrained only to the set of indexes specified by succeededIndexes. For example, given that succeededIndexes is \"1-4\", succeededCount is \"3\", and completed indexes are \"1\", \"3\", and \"5\", the Job isn't declared as succeeded because only \"1\" and \"3\" indexes are considered in that rules. When this field is null, this doesn't default to any value and is never evaluated at any time. When specified it needs to be a positive integer.","type":"integer","format":"int32"},"succeededIndexes":{"description":"succeededIndexes specifies the set of indexes which need to be contained in the actual set of the succeeded indexes for the Job. The list of indexes must be within 0 to \".spec.completions-1\" and must not contain duplicates. At least one element is required. The indexes are represented as intervals separated by commas. The intervals can be a decimal integer or a pair of decimal integers separated by a hyphen. The number are listed in represented by the first and last element of the series, separated by a hyphen. For example, if the completed indexes are 1, 3, 4, 5 and 7, they are represented as \"1,3-5,7\". When this field is null, this field doesn't default to any value and is never evaluated at any time.","type":"string"}},"title":"io.k8s.api.batch.v1.SuccessPolicyRule"},"io.k8s.api.batch.v1.UncountedTerminatedPods":{"description":"UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't been accounted in Job status counters.","type":"object","properties":{"failed":{"description":"failed holds UIDs of failed Pods.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"succeeded":{"description":"succeeded holds UIDs of succeeded Pods.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"}},"title":"io.k8s.api.batch.v1.UncountedTerminatedPods"},"io.k8s.api.certificates.v1.CertificateSigningRequest":{"description":"CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued.\n\nKubelets use this API to obtain:\n 1. client certificates to authenticate to kube-apiserver (with the \"kubernetes.io/kube-apiserver-client-kubelet\" signerName).\n 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the \"kubernetes.io/kubelet-serving\" signerName).\n\nThis API can be used to request client certificates to authenticate to kube-apiserver (with the \"kubernetes.io/kube-apiserver-client\" signerName), or to obtain certificates from custom non-Kubernetes signers.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec contains the certificate request, and is immutable after creation. Only the request, signerName, expirationSeconds, and usages fields can be set on creation. Other fields are derived by Kubernetes and cannot be modified by users.","$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestSpec"},"status":{"description":"status contains information about whether the request is approved or denied, and the certificate issued by the signer, or the failure condition indicating signer failure.","$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestStatus"}},"x-kubernetes-group-version-kind":[{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}],"title":"io.k8s.api.certificates.v1.CertificateSigningRequest"},"io.k8s.api.certificates.v1.CertificateSigningRequestCondition":{"description":"CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the time the condition last transitioned from one status to another. If unset, when a new condition type is added or an existing condition's status is changed, the server defaults this to the current time.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"lastUpdateTime":{"description":"lastUpdateTime is the time of the last update to this condition","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"message contains a human readable message with details about the request state","type":"string"},"reason":{"description":"reason indicates a brief reason for the request state","type":"string"},"status":{"description":"status of the condition, one of True, False, Unknown. Approved, Denied, and Failed conditions may not be \"False\" or \"Unknown\".","type":"string"},"type":{"description":"type of the condition. Known conditions are \"Approved\", \"Denied\", and \"Failed\".\n\nAn \"Approved\" condition is added via the /approval subresource, indicating the request was approved and should be issued by the signer.\n\nA \"Denied\" condition is added via the /approval subresource, indicating the request was denied and should not be issued by the signer.\n\nA \"Failed\" condition is added via the /status subresource, indicating the signer failed to issue the certificate.\n\nApproved and Denied conditions are mutually exclusive. Approved, Denied, and Failed conditions cannot be removed once added.\n\nOnly one condition of a given type is allowed.","type":"string"}},"title":"io.k8s.api.certificates.v1.CertificateSigningRequestCondition"},"io.k8s.api.certificates.v1.CertificateSigningRequestList":{"description":"CertificateSigningRequestList is a collection of CertificateSigningRequest objects","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a collection of CertificateSigningRequest objects","type":"array","items":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"certificates.k8s.io","kind":"CertificateSigningRequestList","version":"v1"}],"title":"io.k8s.api.certificates.v1.CertificateSigningRequestList"},"io.k8s.api.certificates.v1.CertificateSigningRequestSpec":{"description":"CertificateSigningRequestSpec contains the certificate request.","type":"object","required":["request","signerName"],"properties":{"expirationSeconds":{"description":"expirationSeconds is the requested duration of validity of the issued certificate. The certificate signer may issue a certificate with a different validity duration so a client must check the delta between the notBefore and and notAfter fields in the issued certificate to determine the actual duration.\n\nThe v1.22+ in-tree implementations of the well-known Kubernetes signers will honor this field as long as the requested duration is not greater than the maximum duration they will honor per the --cluster-signing-duration CLI flag to the Kubernetes controller manager.\n\nCertificate signers may not honor this field for various reasons:\n\n  1. Old signer that is unaware of the field (such as the in-tree\n     implementations prior to v1.22)\n  2. Signer whose configured maximum is shorter than the requested duration\n  3. Signer whose configured minimum is longer than the requested duration\n\nThe minimum valid value for expirationSeconds is 600, i.e. 10 minutes.","type":"integer","format":"int32"},"extra":{"description":"extra contains extra attributes of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.","type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"groups":{"description":"groups contains group membership of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"request":{"description":"request contains an x509 certificate signing request encoded in a \"CERTIFICATE REQUEST\" PEM block. When serialized as JSON or YAML, the data is additionally base64-encoded.","type":"string","format":"byte"},"signerName":{"description":"signerName indicates the requested signer, and is a qualified name.\n\nList/watch requests for CertificateSigningRequests can filter on this field using a \"spec.signerName=NAME\" fieldSelector.\n\nWell-known Kubernetes signers are:\n 1. \"kubernetes.io/kube-apiserver-client\": issues client certificates that can be used to authenticate to kube-apiserver.\n  Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the \"csrsigning\" controller in kube-controller-manager.\n 2. \"kubernetes.io/kube-apiserver-client-kubelet\": issues client certificates that kubelets use to authenticate to kube-apiserver.\n  Requests for this signer can be auto-approved by the \"csrapproving\" controller in kube-controller-manager, and can be issued by the \"csrsigning\" controller in kube-controller-manager.\n 3. \"kubernetes.io/kubelet-serving\" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.\n  Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the \"csrsigning\" controller in kube-controller-manager.\n\nMore details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers\n\nCustom signerNames can also be specified. The signer defines:\n 1. Trust distribution: how trust (CA bundles) are distributed.\n 2. Permitted subjects: and behavior when a disallowed subject is requested.\n 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.\n 4. Required, permitted, or forbidden key usages / extended key usages.\n 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.\n 6. Whether or not requests for CA certificates are allowed.","type":"string"},"uid":{"description":"uid contains the uid of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.","type":"string"},"usages":{"description":"usages specifies a set of key usages requested in the issued certificate.\n\nRequests for TLS client certificates typically request: \"digital signature\", \"key encipherment\", \"client auth\".\n\nRequests for TLS serving certificates typically request: \"key encipherment\", \"digital signature\", \"server auth\".\n\nValid values are:\n \"signing\", \"digital signature\", \"content commitment\",\n \"key encipherment\", \"key agreement\", \"data encipherment\",\n \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\",\n \"server auth\", \"client auth\",\n \"code signing\", \"email protection\", \"s/mime\",\n \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\",\n \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"","type":"array","items":{"type":"string","enum":["any","cert sign","client auth","code signing","content commitment","crl sign","data encipherment","decipher only","digital signature","email protection","encipher only","ipsec end system","ipsec tunnel","ipsec user","key agreement","key encipherment","microsoft sgc","netscape sgc","ocsp signing","s/mime","server auth","signing","timestamping"]},"x-kubernetes-list-type":"atomic"},"username":{"description":"username contains the name of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.","type":"string"}},"title":"io.k8s.api.certificates.v1.CertificateSigningRequestSpec"},"io.k8s.api.certificates.v1.CertificateSigningRequestStatus":{"description":"CertificateSigningRequestStatus contains conditions used to indicate approved/denied/failed status of the request, and the issued certificate.","type":"object","properties":{"certificate":{"description":"certificate is populated with an issued certificate by the signer after an Approved condition is present. This field is set via the /status subresource. Once populated, this field is immutable.\n\nIf the certificate signing request is denied, a condition of type \"Denied\" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type \"Failed\" is added and this field remains empty.\n\nValidation requirements:\n 1. certificate must contain one or more PEM blocks.\n 2. All PEM blocks must have the \"CERTIFICATE\" label, contain no headers, and the encoded data\n  must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.\n 3. Non-PEM content may appear before or after the \"CERTIFICATE\" PEM blocks and is unvalidated,\n  to allow for explanatory text as described in section 5.2 of RFC7468.\n\nIf more than one PEM block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.\n\nThe certificate is encoded in PEM format.\n\nWhen serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:\n\n    base64(\n    -----BEGIN CERTIFICATE-----\n    ...\n    -----END CERTIFICATE-----\n    )","type":"string","format":"byte"},"conditions":{"description":"conditions applied to the request. Known conditions are \"Approved\", \"Denied\", and \"Failed\".","type":"array","items":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"}},"title":"io.k8s.api.certificates.v1.CertificateSigningRequestStatus"},"io.k8s.api.coordination.v1.Lease":{"description":"Lease defines a lease concept.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec contains the specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.coordination.v1.LeaseSpec"}},"x-kubernetes-group-version-kind":[{"group":"coordination.k8s.io","kind":"Lease","version":"v1"}],"title":"io.k8s.api.coordination.v1.Lease"},"io.k8s.api.coordination.v1.LeaseList":{"description":"LeaseList is a list of Lease objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of schema objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.coordination.v1.Lease"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"coordination.k8s.io","kind":"LeaseList","version":"v1"}],"title":"io.k8s.api.coordination.v1.LeaseList"},"io.k8s.api.coordination.v1.LeaseSpec":{"description":"LeaseSpec is a specification of a Lease.","type":"object","properties":{"acquireTime":{"description":"acquireTime is a time when the current lease was acquired.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"},"holderIdentity":{"description":"holderIdentity contains the identity of the holder of a current lease. If Coordinated Leader Election is used, the holder identity must be equal to the elected LeaseCandidate.metadata.name field.","type":"string"},"leaseDurationSeconds":{"description":"leaseDurationSeconds is a duration that candidates for a lease need to wait to force acquire it. This is measured against the time of last observed renewTime.","type":"integer","format":"int32"},"leaseTransitions":{"description":"leaseTransitions is the number of transitions of a lease between holders.","type":"integer","format":"int32"},"preferredHolder":{"description":"PreferredHolder signals to a lease holder that the lease has a more optimal holder and should be given up. This field can only be set if Strategy is also set.","type":"string"},"renewTime":{"description":"renewTime is a time when the current holder of a lease has last updated the lease.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"},"strategy":{"description":"Strategy indicates the strategy for picking the leader for coordinated leader election. If the field is not specified, there is no active coordination for this lease. (Alpha) Using this field requires the CoordinatedLeaderElection feature gate to be enabled.","type":"string"}},"title":"io.k8s.api.coordination.v1.LeaseSpec"},"io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource":{"description":"Represents a Persistent Disk resource in AWS.\n\nAn AWS EBS disk must exist before mounting to a container. The disk must also be in the same AWS zone as the kubelet. An AWS EBS disk can only be mounted as read/write once. AWS EBS volumes support ownership management and SELinux relabeling.","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"string"},"partition":{"description":"partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).","type":"integer","format":"int32"},"readOnly":{"description":"readOnly value true will force the readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"boolean"},"volumeID":{"description":"volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"string"}},"title":"io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource"},"io.k8s.api.core.v1.Affinity":{"description":"Affinity is a group of affinity scheduling rules.","type":"object","properties":{"nodeAffinity":{"description":"Describes node affinity scheduling rules for the pod.","$ref":"#/definitions/io.k8s.api.core.v1.NodeAffinity"},"podAffinity":{"description":"Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).","$ref":"#/definitions/io.k8s.api.core.v1.PodAffinity"},"podAntiAffinity":{"description":"Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).","$ref":"#/definitions/io.k8s.api.core.v1.PodAntiAffinity"}},"title":"io.k8s.api.core.v1.Affinity"},"io.k8s.api.core.v1.AppArmorProfile":{"description":"AppArmorProfile defines a pod or container's AppArmor settings.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile loaded on the node that should be used. The profile must be preconfigured on the node to work. Must match the loaded name of the profile. Must be set if and only if type is \"Localhost\".","type":"string"},"type":{"description":"type indicates which kind of AppArmor profile will be applied. Valid options are:\n  Localhost - a profile pre-loaded on the node.\n  RuntimeDefault - the container runtime's default profile.\n  Unconfined - no AppArmor enforcement.\n\nPossible enum values:\n - `\"Localhost\"` indicates that a profile pre-loaded on the node should be used.\n - `\"RuntimeDefault\"` indicates that the container runtime's default AppArmor profile should be used.\n - `\"Unconfined\"` indicates that no AppArmor profile should be enforced.","type":"string","enum":["Localhost","RuntimeDefault","Unconfined"]}},"x-kubernetes-unions":[{"discriminator":"type","fields-to-discriminateBy":{"localhostProfile":"LocalhostProfile"}}],"title":"io.k8s.api.core.v1.AppArmorProfile"},"io.k8s.api.core.v1.AttachedVolume":{"description":"AttachedVolume describes a volume attached to a node","type":"object","required":["name","devicePath"],"properties":{"devicePath":{"description":"DevicePath represents the device path where the volume should be available","type":"string"},"name":{"description":"Name of the attached volume","type":"string"}},"title":"io.k8s.api.core.v1.AttachedVolume"},"io.k8s.api.core.v1.AzureDiskVolumeSource":{"description":"AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.","type":"object","required":["diskName","diskURI"],"properties":{"cachingMode":{"description":"cachingMode is the Host Caching mode: None, Read Only, Read Write.\n\nPossible enum values:\n - `\"None\"`\n - `\"ReadOnly\"`\n - `\"ReadWrite\"`","type":"string","enum":["None","ReadOnly","ReadWrite"]},"diskName":{"description":"diskName is the Name of the data disk in the blob storage","type":"string"},"diskURI":{"description":"diskURI is the URI of data disk in the blob storage","type":"string"},"fsType":{"description":"fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"kind":{"description":"kind expected values are Shared: multiple blob disks per storage account  Dedicated: single blob disk per storage account  Managed: azure managed data disk (only in managed availability set). defaults to shared\n\nPossible enum values:\n - `\"Dedicated\"`\n - `\"Managed\"`\n - `\"Shared\"`","type":"string","enum":["Dedicated","Managed","Shared"]},"readOnly":{"description":"readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"}},"title":"io.k8s.api.core.v1.AzureDiskVolumeSource"},"io.k8s.api.core.v1.AzureFilePersistentVolumeSource":{"description":"AzureFile represents an Azure File Service mount on the host and bind mount to the pod.","type":"object","required":["secretName","shareName"],"properties":{"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretName":{"description":"secretName is the name of secret that contains Azure Storage Account Name and Key","type":"string"},"secretNamespace":{"description":"secretNamespace is the namespace of the secret that contains Azure Storage Account Name and Key default is the same as the Pod","type":"string"},"shareName":{"description":"shareName is the azure Share Name","type":"string"}},"title":"io.k8s.api.core.v1.AzureFilePersistentVolumeSource"},"io.k8s.api.core.v1.AzureFileVolumeSource":{"description":"AzureFile represents an Azure File Service mount on the host and bind mount to the pod.","type":"object","required":["secretName","shareName"],"properties":{"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretName":{"description":"secretName is the  name of secret that contains Azure Storage Account Name and Key","type":"string"},"shareName":{"description":"shareName is the azure share Name","type":"string"}},"title":"io.k8s.api.core.v1.AzureFileVolumeSource"},"io.k8s.api.core.v1.Binding":{"description":"Binding ties one object to another; for example, a pod is bound to a node by a scheduler.","type":"object","required":["target"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"target":{"description":"The target object that you want to bind to the standard object.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Binding","version":"v1"}],"title":"io.k8s.api.core.v1.Binding"},"io.k8s.api.core.v1.CSIPersistentVolumeSource":{"description":"Represents storage that is managed by an external CSI volume driver","type":"object","required":["driver","volumeHandle"],"properties":{"controllerExpandSecretRef":{"description":"controllerExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"controllerPublishSecretRef":{"description":"controllerPublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerPublishVolume and ControllerUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"driver":{"description":"driver is the name of the driver to use for this volume. Required.","type":"string"},"fsType":{"description":"fsType to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\".","type":"string"},"nodeExpandSecretRef":{"description":"nodeExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeExpandVolume call. This field is optional, may be omitted if no secret is required. If the secret object contains more than one secret, all secrets are passed.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"nodePublishSecretRef":{"description":"nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"nodeStageSecretRef":{"description":"nodeStageSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeStageVolume and NodeStageVolume and NodeUnstageVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"readOnly":{"description":"readOnly value to pass to ControllerPublishVolumeRequest. Defaults to false (read/write).","type":"boolean"},"volumeAttributes":{"description":"volumeAttributes of the volume to publish.","type":"object","additionalProperties":{"type":"string"}},"volumeHandle":{"description":"volumeHandle is the unique volume name returned by the CSI volume plugin’s CreateVolume to refer to the volume on all subsequent calls. Required.","type":"string"}},"title":"io.k8s.api.core.v1.CSIPersistentVolumeSource"},"io.k8s.api.core.v1.CSIVolumeSource":{"description":"Represents a source location of a volume to mount, managed by an external CSI driver","type":"object","required":["driver"],"properties":{"driver":{"description":"driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.","type":"string"},"fsType":{"description":"fsType to mount. Ex. \"ext4\", \"xfs\", \"ntfs\". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply.","type":"string"},"nodePublishSecretRef":{"description":"nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and  may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed.","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"readOnly":{"description":"readOnly specifies a read-only configuration for the volume. Defaults to false (read/write).","type":"boolean"},"volumeAttributes":{"description":"volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values.","type":"object","additionalProperties":{"type":"string"}}},"title":"io.k8s.api.core.v1.CSIVolumeSource"},"io.k8s.api.core.v1.Capabilities":{"description":"Adds and removes POSIX capabilities from running containers.","type":"object","properties":{"add":{"description":"Added capabilities","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"description":"Removed capabilities","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.Capabilities"},"io.k8s.api.core.v1.CephFSPersistentVolumeSource":{"description":"Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.","type":"object","required":["monitors"],"properties":{"monitors":{"description":"monitors is Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"path":{"description":"path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /","type":"string"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"boolean"},"secretFile":{"description":"secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"},"secretRef":{"description":"secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"user":{"description":"user is Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"}},"title":"io.k8s.api.core.v1.CephFSPersistentVolumeSource"},"io.k8s.api.core.v1.CephFSVolumeSource":{"description":"Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.","type":"object","required":["monitors"],"properties":{"monitors":{"description":"monitors is Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"path":{"description":"path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /","type":"string"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"boolean"},"secretFile":{"description":"secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"},"secretRef":{"description":"secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"user":{"description":"user is optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"}},"title":"io.k8s.api.core.v1.CephFSVolumeSource"},"io.k8s.api.core.v1.CinderPersistentVolumeSource":{"description":"Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fsType Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"boolean"},"secretRef":{"description":"secretRef is Optional: points to a secret object containing parameters used to connect to OpenStack.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"volumeID":{"description":"volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"}},"title":"io.k8s.api.core.v1.CinderPersistentVolumeSource"},"io.k8s.api.core.v1.CinderVolumeSource":{"description":"Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"boolean"},"secretRef":{"description":"secretRef is optional: points to a secret object containing parameters used to connect to OpenStack.","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"volumeID":{"description":"volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"}},"title":"io.k8s.api.core.v1.CinderVolumeSource"},"io.k8s.api.core.v1.ClientIPConfig":{"description":"ClientIPConfig represents the configurations of Client IP based session affinity.","type":"object","properties":{"timeoutSeconds":{"description":"timeoutSeconds specifies the seconds of ClientIP type session sticky time. The value must be >0 && <=86400(for 1 day) if ServiceAffinity == \"ClientIP\". Default value is 10800(for 3 hours).","type":"integer","format":"int32"}},"title":"io.k8s.api.core.v1.ClientIPConfig"},"io.k8s.api.core.v1.ClusterTrustBundleProjection":{"description":"ClusterTrustBundleProjection describes how to select a set of ClusterTrustBundle objects and project their contents into the pod filesystem.","type":"object","required":["path"],"properties":{"labelSelector":{"description":"Select all ClusterTrustBundles that match this label selector.  Only has effect if signerName is set.  Mutually-exclusive with name.  If unset, interpreted as \"match nothing\".  If set but empty, interpreted as \"match everything\".","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"name":{"description":"Select a single ClusterTrustBundle by object name.  Mutually-exclusive with signerName and labelSelector.","type":"string"},"optional":{"description":"If true, don't block pod startup if the referenced ClusterTrustBundle(s) aren't available.  If using name, then the named ClusterTrustBundle is allowed not to exist.  If using signerName, then the combination of signerName and labelSelector is allowed to match zero ClusterTrustBundles.","type":"boolean"},"path":{"description":"Relative path from the volume root to write the bundle.","type":"string"},"signerName":{"description":"Select all ClusterTrustBundles that match this signer name. Mutually-exclusive with name.  The contents of all selected ClusterTrustBundles will be unified and deduplicated.","type":"string"}},"title":"io.k8s.api.core.v1.ClusterTrustBundleProjection"},"io.k8s.api.core.v1.ComponentCondition":{"description":"Information about the condition of a component.","type":"object","required":["type","status"],"properties":{"error":{"description":"Condition error code for a component. For example, a health check error code.","type":"string"},"message":{"description":"Message about the condition for a component. For example, information about a health check.","type":"string"},"status":{"description":"Status of the condition for a component. Valid values for \"Healthy\": \"True\", \"False\", or \"Unknown\".","type":"string"},"type":{"description":"Type of condition for a component. Valid value: \"Healthy\"","type":"string"}},"title":"io.k8s.api.core.v1.ComponentCondition"},"io.k8s.api.core.v1.ComponentStatus":{"description":"ComponentStatus (and ComponentStatusList) holds the cluster validation info. Deprecated: This API is deprecated in v1.19+","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"conditions":{"description":"List of component conditions observed","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ComponentCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ComponentStatus","version":"v1"}],"title":"io.k8s.api.core.v1.ComponentStatus"},"io.k8s.api.core.v1.ComponentStatusList":{"description":"Status of all the conditions for the component as a list of ComponentStatus objects. Deprecated: This API is deprecated in v1.19+","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ComponentStatus objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ComponentStatus"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ComponentStatusList","version":"v1"}],"title":"io.k8s.api.core.v1.ComponentStatusList"},"io.k8s.api.core.v1.ConfigMap":{"description":"ConfigMap holds configuration data for pods to consume.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"binaryData":{"description":"BinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the ones in the Data field, this is enforced during validation process. Using this field will require 1.10+ apiserver and kubelet.","type":"object","additionalProperties":{"type":"string","format":"byte"}},"data":{"description":"Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field, this is enforced during validation process.","type":"object","additionalProperties":{"type":"string"}},"immutable":{"description":"Immutable, if set to true, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.","type":"boolean"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ConfigMap","version":"v1"}],"title":"io.k8s.api.core.v1.ConfigMap"},"io.k8s.api.core.v1.ConfigMapEnvSource":{"description":"ConfigMapEnvSource selects a ConfigMap to populate the environment variables with.\n\nThe contents of the target ConfigMap's Data field will represent the key-value pairs as environment variables.","type":"object","properties":{"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap must be defined","type":"boolean"}},"title":"io.k8s.api.core.v1.ConfigMapEnvSource"},"io.k8s.api.core.v1.ConfigMapKeySelector":{"description":"Selects a key from a ConfigMap.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.ConfigMapKeySelector"},"io.k8s.api.core.v1.ConfigMapList":{"description":"ConfigMapList is a resource containing a list of ConfigMap objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of ConfigMaps.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMap"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ConfigMapList","version":"v1"}],"title":"io.k8s.api.core.v1.ConfigMapList"},"io.k8s.api.core.v1.ConfigMapNodeConfigSource":{"description":"ConfigMapNodeConfigSource contains the information to reference a ConfigMap as a config source for the Node. This API is deprecated since 1.22: https://git.k8s.io/enhancements/keps/sig-node/281-dynamic-kubelet-configuration","type":"object","required":["namespace","name","kubeletConfigKey"],"properties":{"kubeletConfigKey":{"description":"KubeletConfigKey declares which key of the referenced ConfigMap corresponds to the KubeletConfiguration structure This field is required in all cases.","type":"string"},"name":{"description":"Name is the metadata.name of the referenced ConfigMap. This field is required in all cases.","type":"string"},"namespace":{"description":"Namespace is the metadata.namespace of the referenced ConfigMap. This field is required in all cases.","type":"string"},"resourceVersion":{"description":"ResourceVersion is the metadata.ResourceVersion of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.","type":"string"},"uid":{"description":"UID is the metadata.UID of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.","type":"string"}},"title":"io.k8s.api.core.v1.ConfigMapNodeConfigSource"},"io.k8s.api.core.v1.ConfigMapProjection":{"description":"Adapts a ConfigMap into a projected volume.\n\nThe contents of the target ConfigMap's Data field will be presented in a projected volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. Note that this is identical to a configmap volume source without the default mode.","type":"object","properties":{"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.KeyToPath"},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional specify whether the ConfigMap or its keys must be defined","type":"boolean"}},"title":"io.k8s.api.core.v1.ConfigMapProjection"},"io.k8s.api.core.v1.ConfigMapVolumeSource":{"description":"Adapts a ConfigMap into a volume.\n\nThe contents of the target ConfigMap's Data field will be presented in a volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. ConfigMap volumes support ownership management and SELinux relabeling.","type":"object","properties":{"defaultMode":{"description":"defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.KeyToPath"},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional specify whether the ConfigMap or its keys must be defined","type":"boolean"}},"title":"io.k8s.api.core.v1.ConfigMapVolumeSource"},"io.k8s.api.core.v1.Container":{"description":"A single application container that you want to run within a pod.","type":"object","required":["name"],"properties":{"args":{"description":"Arguments to the entrypoint. The container image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"description":"Entrypoint array. Not executed within a shell. The container image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"description":"List of environment variables to set in the container. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EnvVar"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"envFrom":{"description":"List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EnvFromSource"},"x-kubernetes-list-type":"atomic"},"image":{"description":"Container image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.","type":"string"},"imagePullPolicy":{"description":"Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images\n\nPossible enum values:\n - `\"Always\"` means that kubelet always attempts to pull the latest image. Container will fail If the pull fails.\n - `\"IfNotPresent\"` means that kubelet pulls if the image isn't present on disk. Container will fail if the image isn't present and the pull fails.\n - `\"Never\"` means that kubelet never pulls an image, but only uses a local image. Container will fail if the image isn't present","type":"string","enum":["Always","IfNotPresent","Never"]},"lifecycle":{"description":"Actions that the management system should take in response to container lifecycle events. Cannot be updated.","$ref":"#/definitions/io.k8s.api.core.v1.Lifecycle"},"livenessProbe":{"description":"Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","$ref":"#/definitions/io.k8s.api.core.v1.Probe"},"name":{"description":"Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated.","type":"string"},"ports":{"description":"List of ports to expose from the container. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default \"0.0.0.0\" address inside a container will be accessible from the network. Modifying this array with strategic merge patch may corrupt the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerPort"},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"containerPort","x-kubernetes-patch-strategy":"merge"},"readinessProbe":{"description":"Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","$ref":"#/definitions/io.k8s.api.core.v1.Probe"},"resizePolicy":{"description":"Resources resize policy for the container. This field cannot be set on ephemeral containers.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerResizePolicy"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","$ref":"#/definitions/io.k8s.api.core.v1.ResourceRequirements"},"restartPolicy":{"description":"RestartPolicy defines the restart behavior of individual containers in a pod. This overrides the pod-level restart policy. When this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Additionally, setting the RestartPolicy as \"Always\" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy \"Always\" will be shut down. This lifecycle differs from normal init containers and is often referred to as a \"sidecar\" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.","type":"string"},"restartPolicyRules":{"description":"Represents a list of rules to be checked to determine if the container should be restarted on exit. The rules are evaluated in order. Once a rule matches a container exit condition, the remaining rules are ignored. If no rule matches the container exit condition, the Container-level restart policy determines the whether the container is restarted or not. Constraints on the rules: - At most 20 rules are allowed. - Rules can have the same action. - Identical rules are not forbidden in validations. When rules are specified, container MUST set RestartPolicy explicitly even it if matches the Pod's RestartPolicy.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerRestartRule"},"x-kubernetes-list-type":"atomic"},"securityContext":{"description":"SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","$ref":"#/definitions/io.k8s.api.core.v1.SecurityContext"},"startupProbe":{"description":"StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","$ref":"#/definitions/io.k8s.api.core.v1.Probe"},"stdin":{"description":"Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.","type":"boolean"},"stdinOnce":{"description":"Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false","type":"boolean"},"terminationMessagePath":{"description":"Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.","type":"string"},"terminationMessagePolicy":{"description":"Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.\n\nPossible enum values:\n - `\"FallbackToLogsOnError\"` will read the most recent contents of the container logs for the container status message when the container exits with an error and the terminationMessagePath has no contents.\n - `\"File\"` is the default behavior and will set the container status message to the contents of the container's terminationMessagePath when the container exits.","type":"string","enum":["FallbackToLogsOnError","File"]},"tty":{"description":"Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.","type":"boolean"},"volumeDevices":{"description":"volumeDevices is the list of block devices to be used by the container.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.VolumeDevice"},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"devicePath","x-kubernetes-patch-strategy":"merge"},"volumeMounts":{"description":"Pod volumes to mount into the container's filesystem. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.VolumeMount"},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"mountPath","x-kubernetes-patch-strategy":"merge"},"workingDir":{"description":"Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.","type":"string"}},"title":"io.k8s.api.core.v1.Container"},"io.k8s.api.core.v1.ContainerExtendedResourceRequest":{"description":"ContainerExtendedResourceRequest has the mapping of container name, extended resource name to the device request name.","type":"object","required":["containerName","resourceName","requestName"],"properties":{"containerName":{"description":"The name of the container requesting resources.","type":"string"},"requestName":{"description":"The name of the request in the special ResourceClaim which corresponds to the extended resource.","type":"string"},"resourceName":{"description":"The name of the extended resource in that container which gets backed by DRA.","type":"string"}},"title":"io.k8s.api.core.v1.ContainerExtendedResourceRequest"},"io.k8s.api.core.v1.ContainerImage":{"description":"Describe a container image","type":"object","properties":{"names":{"description":"Names by which this image is known. e.g. [\"kubernetes.example/hyperkube:v1.0.7\", \"cloud-vendor.registry.example/cloud-vendor/hyperkube:v1.0.7\"]","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"sizeBytes":{"description":"The size of the image in bytes.","type":"integer","format":"int64"}},"title":"io.k8s.api.core.v1.ContainerImage"},"io.k8s.api.core.v1.ContainerPort":{"description":"ContainerPort represents a network port in a single container.","type":"object","required":["containerPort"],"properties":{"containerPort":{"description":"Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.","type":"integer","format":"int32"},"hostIP":{"description":"What host IP to bind the external port to.","type":"string"},"hostPort":{"description":"Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.","type":"integer","format":"int32"},"name":{"description":"If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.","type":"string"},"protocol":{"description":"Protocol for port. Must be UDP, TCP, or SCTP. Defaults to \"TCP\".\n\nPossible enum values:\n - `\"SCTP\"` is the SCTP protocol.\n - `\"TCP\"` is the TCP protocol.\n - `\"UDP\"` is the UDP protocol.","type":"string","enum":["SCTP","TCP","UDP"]}},"title":"io.k8s.api.core.v1.ContainerPort"},"io.k8s.api.core.v1.ContainerResizePolicy":{"description":"ContainerResizePolicy represents resource resize policy for the container.","type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"description":"Name of the resource to which this resource resize policy applies. Supported values: cpu, memory.","type":"string"},"restartPolicy":{"description":"Restart policy to apply when specified resource is resized. If not specified, it defaults to NotRequired.","type":"string"}},"title":"io.k8s.api.core.v1.ContainerResizePolicy"},"io.k8s.api.core.v1.ContainerRestartRule":{"description":"ContainerRestartRule describes how a container exit is handled.","type":"object","required":["action"],"properties":{"action":{"description":"Specifies the action taken on a container exit if the requirements are satisfied. The only possible value is \"Restart\" to restart the container.","type":"string"},"exitCodes":{"description":"Represents the exit codes to check on container exits.","$ref":"#/definitions/io.k8s.api.core.v1.ContainerRestartRuleOnExitCodes"}},"title":"io.k8s.api.core.v1.ContainerRestartRule"},"io.k8s.api.core.v1.ContainerRestartRuleOnExitCodes":{"description":"ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.","type":"object","required":["operator"],"properties":{"operator":{"description":"Represents the relationship between the container exit code(s) and the specified values. Possible values are: - In: the requirement is satisfied if the container exit code is in the\n  set of specified values.\n- NotIn: the requirement is satisfied if the container exit code is\n  not in the set of specified values.","type":"string"},"values":{"description":"Specifies the set of values to check for container exit codes. At most 255 elements are allowed.","type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}},"title":"io.k8s.api.core.v1.ContainerRestartRuleOnExitCodes"},"io.k8s.api.core.v1.ContainerState":{"description":"ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.","type":"object","properties":{"running":{"description":"Details about a running container","$ref":"#/definitions/io.k8s.api.core.v1.ContainerStateRunning"},"terminated":{"description":"Details about a terminated container","$ref":"#/definitions/io.k8s.api.core.v1.ContainerStateTerminated"},"waiting":{"description":"Details about a waiting container","$ref":"#/definitions/io.k8s.api.core.v1.ContainerStateWaiting"}},"title":"io.k8s.api.core.v1.ContainerState"},"io.k8s.api.core.v1.ContainerStateRunning":{"description":"ContainerStateRunning is a running state of a container.","type":"object","properties":{"startedAt":{"description":"Time at which the container was last (re-)started","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"}},"title":"io.k8s.api.core.v1.ContainerStateRunning"},"io.k8s.api.core.v1.ContainerStateTerminated":{"description":"ContainerStateTerminated is a terminated state of a container.","type":"object","required":["exitCode"],"properties":{"containerID":{"description":"Container's ID in the format '<type>://<container_id>'","type":"string"},"exitCode":{"description":"Exit status from the last termination of the container","type":"integer","format":"int32"},"finishedAt":{"description":"Time at which the container last terminated","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"Message regarding the last termination of the container","type":"string"},"reason":{"description":"(brief) reason from the last termination of the container","type":"string"},"signal":{"description":"Signal from the last termination of the container","type":"integer","format":"int32"},"startedAt":{"description":"Time at which previous execution of the container started","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"}},"title":"io.k8s.api.core.v1.ContainerStateTerminated"},"io.k8s.api.core.v1.ContainerStateWaiting":{"description":"ContainerStateWaiting is a waiting state of a container.","type":"object","properties":{"message":{"description":"Message regarding why the container is not yet running.","type":"string"},"reason":{"description":"(brief) reason the container is not yet running.","type":"string"}},"title":"io.k8s.api.core.v1.ContainerStateWaiting"},"io.k8s.api.core.v1.ContainerStatus":{"description":"ContainerStatus contains details for the current status of this container.","type":"object","required":["name","ready","restartCount","image","imageID"],"properties":{"allocatedResources":{"description":"AllocatedResources represents the compute resources allocated for this container by the node. Kubelet sets this value to Container.Resources.Requests upon successful pod admission and after successfully admitting desired pod resize.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"allocatedResourcesStatus":{"description":"AllocatedResourcesStatus represents the status of various resources allocated for this Pod.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceStatus"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"containerID":{"description":"ContainerID is the ID of the container in the format '<type>://<container_id>'. Where type is a container runtime identifier, returned from Version call of CRI API (for example \"containerd\").","type":"string"},"image":{"description":"Image is the name of container image that the container is running. The container image may not match the image used in the PodSpec, as it may have been resolved by the runtime. More info: https://kubernetes.io/docs/concepts/containers/images.","type":"string"},"imageID":{"description":"ImageID is the image ID of the container's image. The image ID may not match the image ID of the image used in the PodSpec, as it may have been resolved by the runtime.","type":"string"},"lastState":{"description":"LastTerminationState holds the last termination state of the container to help debug container crashes and restarts. This field is not populated if the container is still running and RestartCount is 0.","$ref":"#/definitions/io.k8s.api.core.v1.ContainerState"},"name":{"description":"Name is a DNS_LABEL representing the unique name of the container. Each container in a pod must have a unique name across all container types. Cannot be updated.","type":"string"},"ready":{"description":"Ready specifies whether the container is currently passing its readiness check. The value will change as readiness probes keep executing. If no readiness probes are specified, this field defaults to true once the container is fully started (see Started field).\n\nThe value is typically used to determine whether a container is ready to accept traffic.","type":"boolean"},"resources":{"description":"Resources represents the compute resource requests and limits that have been successfully enacted on the running container after it has been started or has been successfully resized.","$ref":"#/definitions/io.k8s.api.core.v1.ResourceRequirements"},"restartCount":{"description":"RestartCount holds the number of times the container has been restarted. Kubelet makes an effort to always increment the value, but there are cases when the state may be lost due to node restarts and then the value may be reset to 0. The value is never negative.","type":"integer","format":"int32"},"started":{"description":"Started indicates whether the container has finished its postStart lifecycle hook and passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. In both cases, startup probes will run again. Is always true when no startupProbe is defined and container is running and has passed the postStart lifecycle hook. The null value must be treated the same as false.","type":"boolean"},"state":{"description":"State holds details about the container's current condition.","$ref":"#/definitions/io.k8s.api.core.v1.ContainerState"},"stopSignal":{"description":"StopSignal reports the effective stop signal for this container\n\nPossible enum values:\n - `\"SIGABRT\"`\n - `\"SIGALRM\"`\n - `\"SIGBUS\"`\n - `\"SIGCHLD\"`\n - `\"SIGCLD\"`\n - `\"SIGCONT\"`\n - `\"SIGFPE\"`\n - `\"SIGHUP\"`\n - `\"SIGILL\"`\n - `\"SIGINT\"`\n - `\"SIGIO\"`\n - `\"SIGIOT\"`\n - `\"SIGKILL\"`\n - `\"SIGPIPE\"`\n - `\"SIGPOLL\"`\n - `\"SIGPROF\"`\n - `\"SIGPWR\"`\n - `\"SIGQUIT\"`\n - `\"SIGRTMAX\"`\n - `\"SIGRTMAX-1\"`\n - `\"SIGRTMAX-10\"`\n - `\"SIGRTMAX-11\"`\n - `\"SIGRTMAX-12\"`\n - `\"SIGRTMAX-13\"`\n - `\"SIGRTMAX-14\"`\n - `\"SIGRTMAX-2\"`\n - `\"SIGRTMAX-3\"`\n - `\"SIGRTMAX-4\"`\n - `\"SIGRTMAX-5\"`\n - `\"SIGRTMAX-6\"`\n - `\"SIGRTMAX-7\"`\n - `\"SIGRTMAX-8\"`\n - `\"SIGRTMAX-9\"`\n - `\"SIGRTMIN\"`\n - `\"SIGRTMIN+1\"`\n - `\"SIGRTMIN+10\"`\n - `\"SIGRTMIN+11\"`\n - `\"SIGRTMIN+12\"`\n - `\"SIGRTMIN+13\"`\n - `\"SIGRTMIN+14\"`\n - `\"SIGRTMIN+15\"`\n - `\"SIGRTMIN+2\"`\n - `\"SIGRTMIN+3\"`\n - `\"SIGRTMIN+4\"`\n - `\"SIGRTMIN+5\"`\n - `\"SIGRTMIN+6\"`\n - `\"SIGRTMIN+7\"`\n - `\"SIGRTMIN+8\"`\n - `\"SIGRTMIN+9\"`\n - `\"SIGSEGV\"`\n - `\"SIGSTKFLT\"`\n - `\"SIGSTOP\"`\n - `\"SIGSYS\"`\n - `\"SIGTERM\"`\n - `\"SIGTRAP\"`\n - `\"SIGTSTP\"`\n - `\"SIGTTIN\"`\n - `\"SIGTTOU\"`\n - `\"SIGURG\"`\n - `\"SIGUSR1\"`\n - `\"SIGUSR2\"`\n - `\"SIGVTALRM\"`\n - `\"SIGWINCH\"`\n - `\"SIGXCPU\"`\n - `\"SIGXFSZ\"`","type":"string","enum":["SIGABRT","SIGALRM","SIGBUS","SIGCHLD","SIGCLD","SIGCONT","SIGFPE","SIGHUP","SIGILL","SIGINT","SIGIO","SIGIOT","SIGKILL","SIGPIPE","SIGPOLL","SIGPROF","SIGPWR","SIGQUIT","SIGRTMAX","SIGRTMAX-1","SIGRTMAX-10","SIGRTMAX-11","SIGRTMAX-12","SIGRTMAX-13","SIGRTMAX-14","SIGRTMAX-2","SIGRTMAX-3","SIGRTMAX-4","SIGRTMAX-5","SIGRTMAX-6","SIGRTMAX-7","SIGRTMAX-8","SIGRTMAX-9","SIGRTMIN","SIGRTMIN+1","SIGRTMIN+10","SIGRTMIN+11","SIGRTMIN+12","SIGRTMIN+13","SIGRTMIN+14","SIGRTMIN+15","SIGRTMIN+2","SIGRTMIN+3","SIGRTMIN+4","SIGRTMIN+5","SIGRTMIN+6","SIGRTMIN+7","SIGRTMIN+8","SIGRTMIN+9","SIGSEGV","SIGSTKFLT","SIGSTOP","SIGSYS","SIGTERM","SIGTRAP","SIGTSTP","SIGTTIN","SIGTTOU","SIGURG","SIGUSR1","SIGUSR2","SIGVTALRM","SIGWINCH","SIGXCPU","SIGXFSZ"]},"user":{"description":"User represents user identity information initially attached to the first process of the container","$ref":"#/definitions/io.k8s.api.core.v1.ContainerUser"},"volumeMounts":{"description":"Status of volume mounts.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.VolumeMountStatus"},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"mountPath","x-kubernetes-patch-strategy":"merge"}},"title":"io.k8s.api.core.v1.ContainerStatus"},"io.k8s.api.core.v1.ContainerUser":{"description":"ContainerUser represents user identity information","type":"object","properties":{"linux":{"description":"Linux holds user identity information initially attached to the first process of the containers in Linux. Note that the actual running identity can be changed if the process has enough privilege to do so.","$ref":"#/definitions/io.k8s.api.core.v1.LinuxContainerUser"}},"title":"io.k8s.api.core.v1.ContainerUser"},"io.k8s.api.core.v1.DaemonEndpoint":{"description":"DaemonEndpoint contains information about a single Daemon endpoint.","type":"object","required":["Port"],"properties":{"Port":{"description":"Port number of the given endpoint.","type":"integer","format":"int32"}},"title":"io.k8s.api.core.v1.DaemonEndpoint"},"io.k8s.api.core.v1.DownwardAPIProjection":{"description":"Represents downward API info for projecting into a projected volume. Note that this is identical to a downwardAPI volume source without the default mode.","type":"object","properties":{"items":{"description":"Items is a list of DownwardAPIVolume file","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeFile"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.DownwardAPIProjection"},"io.k8s.api.core.v1.DownwardAPIVolumeFile":{"description":"DownwardAPIVolumeFile represents information to create the file containing the pod field","type":"object","required":["path"],"properties":{"fieldRef":{"description":"Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectFieldSelector"},"mode":{"description":"Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'","type":"string"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.","$ref":"#/definitions/io.k8s.api.core.v1.ResourceFieldSelector"}},"title":"io.k8s.api.core.v1.DownwardAPIVolumeFile"},"io.k8s.api.core.v1.DownwardAPIVolumeSource":{"description":"DownwardAPIVolumeSource represents a volume containing downward API info. Downward API volumes support ownership management and SELinux relabeling.","type":"object","properties":{"defaultMode":{"description":"Optional: mode bits to use on created files by default. Must be a Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"Items is a list of downward API volume file","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeFile"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.DownwardAPIVolumeSource"},"io.k8s.api.core.v1.EmptyDirVolumeSource":{"description":"Represents an empty directory for a pod. Empty directory volumes support ownership management and SELinux relabeling.","type":"object","properties":{"medium":{"description":"medium represents what type of storage medium should back this directory. The default is \"\" which means to use the node's default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","type":"string"},"sizeLimit":{"description":"sizeLimit is the total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"title":"io.k8s.api.core.v1.EmptyDirVolumeSource"},"io.k8s.api.core.v1.EndpointAddress":{"description":"EndpointAddress is a tuple that describes single IP address. Deprecated: This API is deprecated in v1.33+.","type":"object","required":["ip"],"properties":{"hostname":{"description":"The Hostname of this endpoint","type":"string"},"ip":{"description":"The IP of this endpoint. May not be loopback (127.0.0.0/8 or ::1), link-local (169.254.0.0/16 or fe80::/10), or link-local multicast (224.0.0.0/24 or ff02::/16).","type":"string"},"nodeName":{"description":"Optional: Node hosting this endpoint. This can be used to determine endpoints local to a node.","type":"string"},"targetRef":{"description":"Reference to object providing the endpoint.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.EndpointAddress"},"io.k8s.api.core.v1.EndpointPort":{"description":"EndpointPort is a tuple that describes a single port. Deprecated: This API is deprecated in v1.33+.","type":"object","required":["port"],"properties":{"appProtocol":{"description":"The application protocol for this port. This is used as a hint for implementations to offer richer behavior for protocols that they understand. This field follows standard Kubernetes label syntax. Valid values are either:\n\n* Un-prefixed protocol names - reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names).\n\n* Kubernetes-defined prefixed names:\n  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-\n  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455\n  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455\n\n* Other protocols should use implementation-defined prefixed names such as mycompany.com/my-custom-protocol.","type":"string"},"name":{"description":"The name of this port.  This must match the 'name' field in the corresponding ServicePort. Must be a DNS_LABEL. Optional only if one port is defined.","type":"string"},"port":{"description":"The port number of the endpoint.","type":"integer","format":"int32"},"protocol":{"description":"The IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.\n\nPossible enum values:\n - `\"SCTP\"` is the SCTP protocol.\n - `\"TCP\"` is the TCP protocol.\n - `\"UDP\"` is the UDP protocol.","type":"string","enum":["SCTP","TCP","UDP"]}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.EndpointPort"},"io.k8s.api.core.v1.EndpointSubset":{"description":"EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:\n\n\t{\n\t  Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t  Ports:     [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t}\n\nThe resulting set of endpoints can be viewed as:\n\n\ta: [ 10.10.1.1:8675, 10.10.2.2:8675 ],\n\tb: [ 10.10.1.1:309, 10.10.2.2:309 ]\n\nDeprecated: This API is deprecated in v1.33+.","type":"object","properties":{"addresses":{"description":"IP addresses which offer the related ports that are marked as ready. These endpoints should be considered safe for load balancers and clients to utilize.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EndpointAddress"},"x-kubernetes-list-type":"atomic"},"notReadyAddresses":{"description":"IP addresses which offer the related ports but are not currently marked as ready because they have not yet finished starting, have recently failed a readiness check, or have recently failed a liveness check.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EndpointAddress"},"x-kubernetes-list-type":"atomic"},"ports":{"description":"Port numbers available on the related IP addresses.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EndpointPort"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.EndpointSubset"},"io.k8s.api.core.v1.Endpoints":{"description":"Endpoints is a collection of endpoints that implement the actual service. Example:\n\n\t Name: \"mysvc\",\n\t Subsets: [\n\t   {\n\t     Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t     Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t   },\n\t   {\n\t     Addresses: [{\"ip\": \"10.10.3.3\"}],\n\t     Ports: [{\"name\": \"a\", \"port\": 93}, {\"name\": \"b\", \"port\": 76}]\n\t   },\n\t]\n\nEndpoints is a legacy API and does not contain information about all Service features. Use discoveryv1.EndpointSlice for complete information about Service endpoints.\n\nDeprecated: This API is deprecated in v1.33+. Use discoveryv1.EndpointSlice.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"subsets":{"description":"The set of all endpoints is the union of all subsets. Addresses are placed into subsets according to the IPs they share. A single address with multiple ports, some of which are ready and some of which are not (because they come from different containers) will result in the address being displayed in different subsets for the different ports. No address will appear in both Addresses and NotReadyAddresses in the same subset. Sets of addresses and ports that comprise a service.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EndpointSubset"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Endpoints","version":"v1"}],"title":"io.k8s.api.core.v1.Endpoints"},"io.k8s.api.core.v1.EndpointsList":{"description":"EndpointsList is a list of endpoints. Deprecated: This API is deprecated in v1.33+.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of endpoints.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Endpoints"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"EndpointsList","version":"v1"}],"title":"io.k8s.api.core.v1.EndpointsList"},"io.k8s.api.core.v1.EnvFromSource":{"description":"EnvFromSource represents the source of a set of ConfigMaps or Secrets","type":"object","properties":{"configMapRef":{"description":"The ConfigMap to select from","$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapEnvSource"},"prefix":{"description":"Optional text to prepend to the name of each environment variable. May consist of any printable ASCII characters except '='.","type":"string"},"secretRef":{"description":"The Secret to select from","$ref":"#/definitions/io.k8s.api.core.v1.SecretEnvSource"}},"title":"io.k8s.api.core.v1.EnvFromSource"},"io.k8s.api.core.v1.EnvVar":{"description":"EnvVar represents an environment variable present in a Container.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the environment variable. May consist of any printable ASCII characters except '='.","type":"string"},"value":{"description":"Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to \"\".","type":"string"},"valueFrom":{"description":"Source for the environment variable's value. Cannot be used if value is not empty.","$ref":"#/definitions/io.k8s.api.core.v1.EnvVarSource"}},"title":"io.k8s.api.core.v1.EnvVar"},"io.k8s.api.core.v1.EnvVarSource":{"description":"EnvVarSource represents a source for the value of an EnvVar.","type":"object","properties":{"configMapKeyRef":{"description":"Selects a key of a ConfigMap.","$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapKeySelector"},"fieldRef":{"description":"Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectFieldSelector"},"fileKeyRef":{"description":"FileKeyRef selects a key of the env file. Requires the EnvFiles feature gate to be enabled.","$ref":"#/definitions/io.k8s.api.core.v1.FileKeySelector"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.","$ref":"#/definitions/io.k8s.api.core.v1.ResourceFieldSelector"},"secretKeyRef":{"description":"Selects a key of a secret in the pod's namespace","$ref":"#/definitions/io.k8s.api.core.v1.SecretKeySelector"}},"title":"io.k8s.api.core.v1.EnvVarSource"},"io.k8s.api.core.v1.EphemeralContainer":{"description":"An EphemeralContainer is a temporary container that you may add to an existing Pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a Pod is removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the Pod to exceed its resource allocation.\n\nTo add an ephemeral container, use the ephemeralcontainers subresource of an existing Pod. Ephemeral containers may not be removed or restarted.","type":"object","required":["name"],"properties":{"args":{"description":"Arguments to the entrypoint. The image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"description":"Entrypoint array. Not executed within a shell. The image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"description":"List of environment variables to set in the container. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EnvVar"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"envFrom":{"description":"List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EnvFromSource"},"x-kubernetes-list-type":"atomic"},"image":{"description":"Container image name. More info: https://kubernetes.io/docs/concepts/containers/images","type":"string"},"imagePullPolicy":{"description":"Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images\n\nPossible enum values:\n - `\"Always\"` means that kubelet always attempts to pull the latest image. Container will fail If the pull fails.\n - `\"IfNotPresent\"` means that kubelet pulls if the image isn't present on disk. Container will fail if the image isn't present and the pull fails.\n - `\"Never\"` means that kubelet never pulls an image, but only uses a local image. Container will fail if the image isn't present","type":"string","enum":["Always","IfNotPresent","Never"]},"lifecycle":{"description":"Lifecycle is not allowed for ephemeral containers.","$ref":"#/definitions/io.k8s.api.core.v1.Lifecycle"},"livenessProbe":{"description":"Probes are not allowed for ephemeral containers.","$ref":"#/definitions/io.k8s.api.core.v1.Probe"},"name":{"description":"Name of the ephemeral container specified as a DNS_LABEL. This name must be unique among all containers, init containers and ephemeral containers.","type":"string"},"ports":{"description":"Ports are not allowed for ephemeral containers.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerPort"},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"containerPort","x-kubernetes-patch-strategy":"merge"},"readinessProbe":{"description":"Probes are not allowed for ephemeral containers.","$ref":"#/definitions/io.k8s.api.core.v1.Probe"},"resizePolicy":{"description":"Resources resize policy for the container.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerResizePolicy"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod.","$ref":"#/definitions/io.k8s.api.core.v1.ResourceRequirements"},"restartPolicy":{"description":"Restart policy for the container to manage the restart behavior of each container within a pod. You cannot set this field on ephemeral containers.","type":"string"},"restartPolicyRules":{"description":"Represents a list of rules to be checked to determine if the container should be restarted on exit. You cannot set this field on ephemeral containers.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerRestartRule"},"x-kubernetes-list-type":"atomic"},"securityContext":{"description":"Optional: SecurityContext defines the security options the ephemeral container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.","$ref":"#/definitions/io.k8s.api.core.v1.SecurityContext"},"startupProbe":{"description":"Probes are not allowed for ephemeral containers.","$ref":"#/definitions/io.k8s.api.core.v1.Probe"},"stdin":{"description":"Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.","type":"boolean"},"stdinOnce":{"description":"Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false","type":"boolean"},"targetContainerName":{"description":"If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container uses the namespaces configured in the Pod spec.\n\nThe container runtime must implement support for this feature. If the runtime does not support namespace targeting then the result of setting this field is undefined.","type":"string"},"terminationMessagePath":{"description":"Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.","type":"string"},"terminationMessagePolicy":{"description":"Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.\n\nPossible enum values:\n - `\"FallbackToLogsOnError\"` will read the most recent contents of the container logs for the container status message when the container exits with an error and the terminationMessagePath has no contents.\n - `\"File\"` is the default behavior and will set the container status message to the contents of the container's terminationMessagePath when the container exits.","type":"string","enum":["FallbackToLogsOnError","File"]},"tty":{"description":"Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.","type":"boolean"},"volumeDevices":{"description":"volumeDevices is the list of block devices to be used by the container.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.VolumeDevice"},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"devicePath","x-kubernetes-patch-strategy":"merge"},"volumeMounts":{"description":"Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.VolumeMount"},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"mountPath","x-kubernetes-patch-strategy":"merge"},"workingDir":{"description":"Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.","type":"string"}},"title":"io.k8s.api.core.v1.EphemeralContainer"},"io.k8s.api.core.v1.EphemeralVolumeSource":{"description":"Represents an ephemeral volume that is handled by a normal storage driver.","type":"object","properties":{"volumeClaimTemplate":{"description":"Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC will be deleted together with the pod.  The name of the PVC will be `<pod name>-<volume name>` where `<volume name>` is the name from the `PodSpec.Volumes` array entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long).\n\nAn existing PVC with that name that is not owned by the pod will *not* be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until the unrelated PVC is removed. If such a pre-created PVC is meant to be used by the pod, the PVC has to updated with an owner reference to the pod once the pod exists. Normally this should not be necessary, but it may be useful when manually reconstructing a broken cluster.\n\nThis field is read-only and no changes will be made by Kubernetes to the PVC after it has been created.\n\nRequired, must not be nil.","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimTemplate"}},"title":"io.k8s.api.core.v1.EphemeralVolumeSource"},"io.k8s.api.core.v1.Event":{"description":"Event is a report of an event somewhere in the cluster.  Events have a limited retention time and triggers and messages may evolve with time.  Event consumers should not rely on the timing of an event with a given Reason reflecting a consistent underlying trigger, or the continued existence of events with that Reason.  Events should be treated as informative, best-effort, supplemental data.","type":"object","required":["metadata","involvedObject"],"properties":{"action":{"description":"What action was taken/failed regarding to the Regarding object.","type":"string"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"count":{"description":"The number of times this event has occurred.","type":"integer","format":"int32"},"eventTime":{"description":"Time when this Event was first observed.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"},"firstTimestamp":{"description":"The time at which the event was first recorded. (Time of server receipt is in TypeMeta.)","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"involvedObject":{"description":"The object that this event is about.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"lastTimestamp":{"description":"The time at which the most recent occurrence of this event was recorded.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"A human-readable description of the status of this operation.","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"reason":{"description":"This should be a short, machine understandable string that gives the reason for the transition into the object's current status.","type":"string"},"related":{"description":"Optional secondary object for more complex actions.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"reportingComponent":{"description":"Name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`.","type":"string"},"reportingInstance":{"description":"ID of the controller instance, e.g. `kubelet-xyzf`.","type":"string"},"series":{"description":"Data about the Event series this event represents or nil if it's a singleton Event.","$ref":"#/definitions/io.k8s.api.core.v1.EventSeries"},"source":{"description":"The component reporting this event. Should be a short machine understandable string.","$ref":"#/definitions/io.k8s.api.core.v1.EventSource"},"type":{"description":"Type of this event (Normal, Warning), new types could be added in the future","type":"string"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Event","version":"v1"}],"title":"io.k8s.api.core.v1.Event"},"io.k8s.api.core.v1.EventList":{"description":"EventList is a list of events.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of events","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Event"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"EventList","version":"v1"}],"title":"io.k8s.api.core.v1.EventList"},"io.k8s.api.core.v1.EventSeries":{"description":"EventSeries contain information on series of events, i.e. thing that was/is happening continuously for some time.","type":"object","properties":{"count":{"description":"Number of occurrences in this series up to the last heartbeat time","type":"integer","format":"int32"},"lastObservedTime":{"description":"Time of the last occurrence observed","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"}},"title":"io.k8s.api.core.v1.EventSeries"},"io.k8s.api.core.v1.EventSource":{"description":"EventSource contains information for an event.","type":"object","properties":{"component":{"description":"Component from which the event is generated.","type":"string"},"host":{"description":"Node name on which the event is generated.","type":"string"}},"title":"io.k8s.api.core.v1.EventSource"},"io.k8s.api.core.v1.ExecAction":{"description":"ExecAction describes a \"run in container\" action.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the command  is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.ExecAction"},"io.k8s.api.core.v1.FCVolumeSource":{"description":"Represents a Fibre Channel volume. Fibre Channel volumes can only be mounted as read/write once. Fibre Channel volumes support ownership management and SELinux relabeling.","type":"object","properties":{"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"lun":{"description":"lun is Optional: FC target lun number","type":"integer","format":"int32"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"targetWWNs":{"description":"targetWWNs is Optional: FC target worldwide names (WWNs)","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"wwids":{"description":"wwids Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.FCVolumeSource"},"io.k8s.api.core.v1.FileKeySelector":{"description":"FileKeySelector selects a key of the env file.","type":"object","required":["volumeName","path","key"],"properties":{"key":{"description":"The key within the env file. An invalid key will prevent the pod from starting. The keys defined within a source may consist of any printable ASCII characters except '='. During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.","type":"string"},"optional":{"description":"Specify whether the file or its key must be defined. If the file or key does not exist, then the env var is not published. If optional is set to true and the specified key does not exist, the environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist, an error will be returned during Pod creation.","type":"boolean"},"path":{"description":"The path within the volume from which to select the file. Must be relative and may not contain the '..' path or start with '..'.","type":"string"},"volumeName":{"description":"The name of the volume mount containing the env file.","type":"string"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.FileKeySelector"},"io.k8s.api.core.v1.FlexPersistentVolumeSource":{"description":"FlexPersistentVolumeSource represents a generic persistent volume resource that is provisioned/attached using an exec based plugin.","type":"object","required":["driver"],"properties":{"driver":{"description":"driver is the name of the driver to use for this volume.","type":"string"},"fsType":{"description":"fsType is the Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script.","type":"string"},"options":{"description":"options is Optional: this field holds extra command options if any.","type":"object","additionalProperties":{"type":"string"}},"readOnly":{"description":"readOnly is Optional: defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef is Optional: SecretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"}},"title":"io.k8s.api.core.v1.FlexPersistentVolumeSource"},"io.k8s.api.core.v1.FlexVolumeSource":{"description":"FlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.","type":"object","required":["driver"],"properties":{"driver":{"description":"driver is the name of the driver to use for this volume.","type":"string"},"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script.","type":"string"},"options":{"description":"options is Optional: this field holds extra command options if any.","type":"object","additionalProperties":{"type":"string"}},"readOnly":{"description":"readOnly is Optional: defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef is Optional: secretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"}},"title":"io.k8s.api.core.v1.FlexVolumeSource"},"io.k8s.api.core.v1.FlockerVolumeSource":{"description":"Represents a Flocker volume mounted by the Flocker agent. One and only one of datasetName and datasetUUID should be set. Flocker volumes do not support ownership management or SELinux relabeling.","type":"object","properties":{"datasetName":{"description":"datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated","type":"string"},"datasetUUID":{"description":"datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset","type":"string"}},"title":"io.k8s.api.core.v1.FlockerVolumeSource"},"io.k8s.api.core.v1.GCEPersistentDiskVolumeSource":{"description":"Represents a Persistent Disk resource in Google Compute Engine.\n\nA GCE PD must exist before mounting to a container. The disk must also be in the same GCE project and zone as the kubelet. A GCE PD can only be mounted as read/write once or read-only many times. GCE PDs support ownership management and SELinux relabeling.","type":"object","required":["pdName"],"properties":{"fsType":{"description":"fsType is filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"string"},"partition":{"description":"partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"integer","format":"int32"},"pdName":{"description":"pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"boolean"}},"title":"io.k8s.api.core.v1.GCEPersistentDiskVolumeSource"},"io.k8s.api.core.v1.GRPCAction":{"description":"GRPCAction specifies an action involving a GRPC service.","type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}},"title":"io.k8s.api.core.v1.GRPCAction"},"io.k8s.api.core.v1.GitRepoVolumeSource":{"description":"Represents a volume that is populated with the contents of a git repository. Git repo volumes do not support ownership management. Git repo volumes support SELinux relabeling.\n\nDEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.","type":"object","required":["repository"],"properties":{"directory":{"description":"directory is the target directory name. Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the git repository.  Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.","type":"string"},"repository":{"description":"repository is the URL","type":"string"},"revision":{"description":"revision is the commit hash for the specified revision.","type":"string"}},"title":"io.k8s.api.core.v1.GitRepoVolumeSource"},"io.k8s.api.core.v1.GlusterfsPersistentVolumeSource":{"description":"Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.","type":"object","required":["endpoints","path"],"properties":{"endpoints":{"description":"endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"string"},"endpointsNamespace":{"description":"endpointsNamespace is the namespace that contains Glusterfs endpoint. If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"string"},"path":{"description":"path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"string"},"readOnly":{"description":"readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"boolean"}},"title":"io.k8s.api.core.v1.GlusterfsPersistentVolumeSource"},"io.k8s.api.core.v1.GlusterfsVolumeSource":{"description":"Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.","type":"object","required":["endpoints","path"],"properties":{"endpoints":{"description":"endpoints is the endpoint name that details Glusterfs topology.","type":"string"},"path":{"description":"path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"string"},"readOnly":{"description":"readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"boolean"}},"title":"io.k8s.api.core.v1.GlusterfsVolumeSource"},"io.k8s.api.core.v1.HTTPGetAction":{"description":"HTTPGetAction describes an action based on HTTP Get requests.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.HTTPHeader"},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"scheme":{"description":"Scheme to use for connecting to the host. Defaults to HTTP.\n\nPossible enum values:\n - `\"HTTP\"` means that the scheme used will be http://\n - `\"HTTPS\"` means that the scheme used will be https://","type":"string","enum":["HTTP","HTTPS"]}},"title":"io.k8s.api.core.v1.HTTPGetAction"},"io.k8s.api.core.v1.HTTPHeader":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}},"title":"io.k8s.api.core.v1.HTTPHeader"},"io.k8s.api.core.v1.HostAlias":{"description":"HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file.","type":"object","required":["ip"],"properties":{"hostnames":{"description":"Hostnames for the above IP address.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"ip":{"description":"IP address of the host file entry.","type":"string"}},"title":"io.k8s.api.core.v1.HostAlias"},"io.k8s.api.core.v1.HostIP":{"description":"HostIP represents a single IP address allocated to the host.","type":"object","required":["ip"],"properties":{"ip":{"description":"IP is the IP address assigned to the host","type":"string"}},"title":"io.k8s.api.core.v1.HostIP"},"io.k8s.api.core.v1.HostPathVolumeSource":{"description":"Represents a host path mapped into a pod. Host path volumes do not support ownership management or SELinux relabeling.","type":"object","required":["path"],"properties":{"path":{"description":"path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"string"},"type":{"description":"type for HostPath Volume Defaults to \"\" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath\n\nPossible enum values:\n - `\"\"` For backwards compatible, leave it empty if unset\n - `\"BlockDevice\"` A block device must exist at the given path\n - `\"CharDevice\"` A character device must exist at the given path\n - `\"Directory\"` A directory must exist at the given path\n - `\"DirectoryOrCreate\"` If nothing exists at the given path, an empty directory will be created there as needed with file mode 0755, having the same group and ownership with Kubelet.\n - `\"File\"` A file must exist at the given path\n - `\"FileOrCreate\"` If nothing exists at the given path, an empty file will be created there as needed with file mode 0644, having the same group and ownership with Kubelet.\n - `\"Socket\"` A UNIX socket must exist at the given path","type":"string","enum":["","BlockDevice","CharDevice","Directory","DirectoryOrCreate","File","FileOrCreate","Socket"]}},"title":"io.k8s.api.core.v1.HostPathVolumeSource"},"io.k8s.api.core.v1.ISCSIPersistentVolumeSource":{"description":"ISCSIPersistentVolumeSource represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.","type":"object","required":["targetPortal","iqn","lun"],"properties":{"chapAuthDiscovery":{"description":"chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication","type":"boolean"},"chapAuthSession":{"description":"chapAuthSession defines whether support iSCSI Session CHAP authentication","type":"boolean"},"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi","type":"string"},"initiatorName":{"description":"initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface <target portal>:<volume name> will be created for the connection.","type":"string"},"iqn":{"description":"iqn is Target iSCSI Qualified Name.","type":"string"},"iscsiInterface":{"description":"iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).","type":"string"},"lun":{"description":"lun is iSCSI Target Lun number.","type":"integer","format":"int32"},"portals":{"description":"portals is the iSCSI Target Portal List. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.","type":"boolean"},"secretRef":{"description":"secretRef is the CHAP Secret for iSCSI target and initiator authentication","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"targetPortal":{"description":"targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).","type":"string"}},"title":"io.k8s.api.core.v1.ISCSIPersistentVolumeSource"},"io.k8s.api.core.v1.ISCSIVolumeSource":{"description":"Represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.","type":"object","required":["targetPortal","iqn","lun"],"properties":{"chapAuthDiscovery":{"description":"chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication","type":"boolean"},"chapAuthSession":{"description":"chapAuthSession defines whether support iSCSI Session CHAP authentication","type":"boolean"},"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi","type":"string"},"initiatorName":{"description":"initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface <target portal>:<volume name> will be created for the connection.","type":"string"},"iqn":{"description":"iqn is the target iSCSI Qualified Name.","type":"string"},"iscsiInterface":{"description":"iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).","type":"string"},"lun":{"description":"lun represents iSCSI Target Lun number.","type":"integer","format":"int32"},"portals":{"description":"portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.","type":"boolean"},"secretRef":{"description":"secretRef is the CHAP Secret for iSCSI target and initiator authentication","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"targetPortal":{"description":"targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).","type":"string"}},"title":"io.k8s.api.core.v1.ISCSIVolumeSource"},"io.k8s.api.core.v1.ImageVolumeSource":{"description":"ImageVolumeSource represents a image volume resource.","type":"object","properties":{"pullPolicy":{"description":"Policy for pulling OCI objects. Possible values are: Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.\n\nPossible enum values:\n - `\"Always\"` means that kubelet always attempts to pull the latest image. Container will fail If the pull fails.\n - `\"IfNotPresent\"` means that kubelet pulls if the image isn't present on disk. Container will fail if the image isn't present and the pull fails.\n - `\"Never\"` means that kubelet never pulls an image, but only uses a local image. Container will fail if the image isn't present","type":"string","enum":["Always","IfNotPresent","Never"]},"reference":{"description":"Required: Image or artifact reference to be used. Behaves in the same way as pod.spec.containers[*].image. Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.","type":"string"}},"title":"io.k8s.api.core.v1.ImageVolumeSource"},"io.k8s.api.core.v1.KeyToPath":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.","type":"string"}},"title":"io.k8s.api.core.v1.KeyToPath"},"io.k8s.api.core.v1.Lifecycle":{"description":"Lifecycle describes actions that the management system should take in response to container lifecycle events. For the PostStart and PreStop lifecycle handlers, management of the container blocks until the action is complete, unless the container process fails, in which case the handler is aborted.","type":"object","properties":{"postStart":{"description":"PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","$ref":"#/definitions/io.k8s.api.core.v1.LifecycleHandler"},"preStop":{"description":"PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod's termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","$ref":"#/definitions/io.k8s.api.core.v1.LifecycleHandler"},"stopSignal":{"description":"StopSignal defines which signal will be sent to a container when it is being stopped. If not specified, the default is defined by the container runtime in use. StopSignal can only be set for Pods with a non-empty .spec.os.name\n\nPossible enum values:\n - `\"SIGABRT\"`\n - `\"SIGALRM\"`\n - `\"SIGBUS\"`\n - `\"SIGCHLD\"`\n - `\"SIGCLD\"`\n - `\"SIGCONT\"`\n - `\"SIGFPE\"`\n - `\"SIGHUP\"`\n - `\"SIGILL\"`\n - `\"SIGINT\"`\n - `\"SIGIO\"`\n - `\"SIGIOT\"`\n - `\"SIGKILL\"`\n - `\"SIGPIPE\"`\n - `\"SIGPOLL\"`\n - `\"SIGPROF\"`\n - `\"SIGPWR\"`\n - `\"SIGQUIT\"`\n - `\"SIGRTMAX\"`\n - `\"SIGRTMAX-1\"`\n - `\"SIGRTMAX-10\"`\n - `\"SIGRTMAX-11\"`\n - `\"SIGRTMAX-12\"`\n - `\"SIGRTMAX-13\"`\n - `\"SIGRTMAX-14\"`\n - `\"SIGRTMAX-2\"`\n - `\"SIGRTMAX-3\"`\n - `\"SIGRTMAX-4\"`\n - `\"SIGRTMAX-5\"`\n - `\"SIGRTMAX-6\"`\n - `\"SIGRTMAX-7\"`\n - `\"SIGRTMAX-8\"`\n - `\"SIGRTMAX-9\"`\n - `\"SIGRTMIN\"`\n - `\"SIGRTMIN+1\"`\n - `\"SIGRTMIN+10\"`\n - `\"SIGRTMIN+11\"`\n - `\"SIGRTMIN+12\"`\n - `\"SIGRTMIN+13\"`\n - `\"SIGRTMIN+14\"`\n - `\"SIGRTMIN+15\"`\n - `\"SIGRTMIN+2\"`\n - `\"SIGRTMIN+3\"`\n - `\"SIGRTMIN+4\"`\n - `\"SIGRTMIN+5\"`\n - `\"SIGRTMIN+6\"`\n - `\"SIGRTMIN+7\"`\n - `\"SIGRTMIN+8\"`\n - `\"SIGRTMIN+9\"`\n - `\"SIGSEGV\"`\n - `\"SIGSTKFLT\"`\n - `\"SIGSTOP\"`\n - `\"SIGSYS\"`\n - `\"SIGTERM\"`\n - `\"SIGTRAP\"`\n - `\"SIGTSTP\"`\n - `\"SIGTTIN\"`\n - `\"SIGTTOU\"`\n - `\"SIGURG\"`\n - `\"SIGUSR1\"`\n - `\"SIGUSR2\"`\n - `\"SIGVTALRM\"`\n - `\"SIGWINCH\"`\n - `\"SIGXCPU\"`\n - `\"SIGXFSZ\"`","type":"string","enum":["SIGABRT","SIGALRM","SIGBUS","SIGCHLD","SIGCLD","SIGCONT","SIGFPE","SIGHUP","SIGILL","SIGINT","SIGIO","SIGIOT","SIGKILL","SIGPIPE","SIGPOLL","SIGPROF","SIGPWR","SIGQUIT","SIGRTMAX","SIGRTMAX-1","SIGRTMAX-10","SIGRTMAX-11","SIGRTMAX-12","SIGRTMAX-13","SIGRTMAX-14","SIGRTMAX-2","SIGRTMAX-3","SIGRTMAX-4","SIGRTMAX-5","SIGRTMAX-6","SIGRTMAX-7","SIGRTMAX-8","SIGRTMAX-9","SIGRTMIN","SIGRTMIN+1","SIGRTMIN+10","SIGRTMIN+11","SIGRTMIN+12","SIGRTMIN+13","SIGRTMIN+14","SIGRTMIN+15","SIGRTMIN+2","SIGRTMIN+3","SIGRTMIN+4","SIGRTMIN+5","SIGRTMIN+6","SIGRTMIN+7","SIGRTMIN+8","SIGRTMIN+9","SIGSEGV","SIGSTKFLT","SIGSTOP","SIGSYS","SIGTERM","SIGTRAP","SIGTSTP","SIGTTIN","SIGTTOU","SIGURG","SIGUSR1","SIGUSR2","SIGVTALRM","SIGWINCH","SIGXCPU","SIGXFSZ"]}},"title":"io.k8s.api.core.v1.Lifecycle"},"io.k8s.api.core.v1.LifecycleHandler":{"description":"LifecycleHandler defines a specific action that should be taken in a lifecycle hook. One and only one of the fields, except TCPSocket must be specified.","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","$ref":"#/definitions/io.k8s.api.core.v1.ExecAction"},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","$ref":"#/definitions/io.k8s.api.core.v1.HTTPGetAction"},"sleep":{"description":"Sleep represents a duration that the container should sleep.","$ref":"#/definitions/io.k8s.api.core.v1.SleepAction"},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for backward compatibility. There is no validation of this field and lifecycle hooks will fail at runtime when it is specified.","$ref":"#/definitions/io.k8s.api.core.v1.TCPSocketAction"}},"title":"io.k8s.api.core.v1.LifecycleHandler"},"io.k8s.api.core.v1.LimitRange":{"description":"LimitRange sets resource usage limits for each kind of resource in a Namespace.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the limits enforced. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.LimitRangeSpec"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"LimitRange","version":"v1"}],"title":"io.k8s.api.core.v1.LimitRange"},"io.k8s.api.core.v1.LimitRangeItem":{"description":"LimitRangeItem defines a min/max usage limit for any resource that matches on kind.","type":"object","required":["type"],"properties":{"default":{"description":"Default resource requirement limit value by resource name if resource limit is omitted.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"defaultRequest":{"description":"DefaultRequest is the default resource requirement request value by resource name if resource request is omitted.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"max":{"description":"Max usage constraints on this kind by resource name.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"maxLimitRequestRatio":{"description":"MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"min":{"description":"Min usage constraints on this kind by resource name.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"type":{"description":"Type of resource that this limit applies to.","type":"string"}},"title":"io.k8s.api.core.v1.LimitRangeItem"},"io.k8s.api.core.v1.LimitRangeList":{"description":"LimitRangeList is a list of LimitRange items.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of LimitRange objects. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRange"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"LimitRangeList","version":"v1"}],"title":"io.k8s.api.core.v1.LimitRangeList"},"io.k8s.api.core.v1.LimitRangeSpec":{"description":"LimitRangeSpec defines a min/max usage limit for resources that match on kind.","type":"object","required":["limits"],"properties":{"limits":{"description":"Limits is the list of LimitRangeItem objects that are enforced.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRangeItem"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.LimitRangeSpec"},"io.k8s.api.core.v1.LinuxContainerUser":{"description":"LinuxContainerUser represents user identity information in Linux containers","type":"object","required":["uid","gid"],"properties":{"gid":{"description":"GID is the primary gid initially attached to the first process in the container","type":"integer","format":"int64"},"supplementalGroups":{"description":"SupplementalGroups are the supplemental groups initially attached to the first process in the container","type":"array","items":{"type":"integer","format":"int64"},"x-kubernetes-list-type":"atomic"},"uid":{"description":"UID is the primary uid initially attached to the first process in the container","type":"integer","format":"int64"}},"title":"io.k8s.api.core.v1.LinuxContainerUser"},"io.k8s.api.core.v1.LoadBalancerIngress":{"description":"LoadBalancerIngress represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.","type":"object","properties":{"hostname":{"description":"Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers)","type":"string"},"ip":{"description":"IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers)","type":"string"},"ipMode":{"description":"IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. Setting this to \"VIP\" indicates that traffic is delivered to the node with the destination set to the load-balancer's IP and port. Setting this to \"Proxy\" indicates that traffic is delivered to the node or pod with the destination set to the node's IP and node port or the pod's IP and port. Service implementations may use this information to adjust traffic routing.","type":"string"},"ports":{"description":"Ports is a list of records of service ports If used, every port defined in the service should have an entry in it","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PortStatus"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.LoadBalancerIngress"},"io.k8s.api.core.v1.LoadBalancerStatus":{"description":"LoadBalancerStatus represents the status of a load-balancer.","type":"object","properties":{"ingress":{"description":"Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.LoadBalancerIngress"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.LoadBalancerStatus"},"io.k8s.api.core.v1.LocalObjectReference":{"description":"LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.LocalObjectReference"},"io.k8s.api.core.v1.LocalVolumeSource":{"description":"Local represents directly-attached storage with node affinity","type":"object","required":["path"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.","type":"string"},"path":{"description":"path of the full path to the volume on the node. It can be either a directory or block device (disk, partition, ...).","type":"string"}},"title":"io.k8s.api.core.v1.LocalVolumeSource"},"io.k8s.api.core.v1.ModifyVolumeStatus":{"description":"ModifyVolumeStatus represents the status object of ControllerModifyVolume operation","type":"object","required":["status"],"properties":{"status":{"description":"status is the status of the ControllerModifyVolume operation. It can be in any of following states:\n - Pending\n   Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as\n   the specified VolumeAttributesClass not existing.\n - InProgress\n   InProgress indicates that the volume is being modified.\n - Infeasible\n  Infeasible indicates that the request has been rejected as invalid by the CSI driver. To\n\t  resolve the error, a valid VolumeAttributesClass needs to be specified.\nNote: New statuses can be added in the future. Consumers should check for unknown statuses and fail appropriately.\n\nPossible enum values:\n - `\"InProgress\"` InProgress indicates that the volume is being modified\n - `\"Infeasible\"` Infeasible indicates that the request has been rejected as invalid by the CSI driver. To resolve the error, a valid VolumeAttributesClass needs to be specified\n - `\"Pending\"` Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as the specified VolumeAttributesClass not existing","type":"string","enum":["InProgress","Infeasible","Pending"]},"targetVolumeAttributesClassName":{"description":"targetVolumeAttributesClassName is the name of the VolumeAttributesClass the PVC currently being reconciled","type":"string"}},"title":"io.k8s.api.core.v1.ModifyVolumeStatus"},"io.k8s.api.core.v1.NFSVolumeSource":{"description":"Represents an NFS mount that lasts the lifetime of a pod. NFS volumes do not support ownership management or SELinux relabeling.","type":"object","required":["server","path"],"properties":{"path":{"description":"path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"string"},"readOnly":{"description":"readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"boolean"},"server":{"description":"server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"string"}},"title":"io.k8s.api.core.v1.NFSVolumeSource"},"io.k8s.api.core.v1.Namespace":{"description":"Namespace provides a scope for Names. Use of multiple namespaces is optional.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the behavior of the Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.NamespaceSpec"},"status":{"description":"Status describes the current status of a Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.NamespaceStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Namespace","version":"v1"}],"title":"io.k8s.api.core.v1.Namespace"},"io.k8s.api.core.v1.NamespaceCondition":{"description":"NamespaceCondition contains details about state of namespace.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"Human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"Unique, one-word, CamelCase reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of namespace controller condition.","type":"string"}},"title":"io.k8s.api.core.v1.NamespaceCondition"},"io.k8s.api.core.v1.NamespaceList":{"description":"NamespaceList is a list of Namespaces.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of Namespace objects in the list. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"NamespaceList","version":"v1"}],"title":"io.k8s.api.core.v1.NamespaceList"},"io.k8s.api.core.v1.NamespaceSpec":{"description":"NamespaceSpec describes the attributes on a Namespace.","type":"object","properties":{"finalizers":{"description":"Finalizers is an opaque list of values that must be empty to permanently remove object from storage. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.NamespaceSpec"},"io.k8s.api.core.v1.NamespaceStatus":{"description":"NamespaceStatus is information about the current status of a Namespace.","type":"object","properties":{"conditions":{"description":"Represents the latest available observations of a namespace's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NamespaceCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"phase":{"description":"Phase is the current lifecycle phase of the namespace. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/\n\nPossible enum values:\n - `\"Active\"` means the namespace is available for use in the system\n - `\"Terminating\"` means the namespace is undergoing graceful termination","type":"string","enum":["Active","Terminating"]}},"title":"io.k8s.api.core.v1.NamespaceStatus"},"io.k8s.api.core.v1.Node":{"description":"Node is a worker node in Kubernetes. Each node will have a unique identifier in the cache (i.e. in etcd).","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the behavior of a node. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.NodeSpec"},"status":{"description":"Most recently observed status of the node. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.NodeStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Node","version":"v1"}],"title":"io.k8s.api.core.v1.Node"},"io.k8s.api.core.v1.NodeAddress":{"description":"NodeAddress contains information for the node's address.","type":"object","required":["type","address"],"properties":{"address":{"description":"The node address.","type":"string"},"type":{"description":"Node address type, one of Hostname, ExternalIP or InternalIP.","type":"string"}},"title":"io.k8s.api.core.v1.NodeAddress"},"io.k8s.api.core.v1.NodeAffinity":{"description":"Node affinity is a group of node affinity scheduling rules.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PreferredSchedulingTerm"},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.","$ref":"#/definitions/io.k8s.api.core.v1.NodeSelector"}},"title":"io.k8s.api.core.v1.NodeAffinity"},"io.k8s.api.core.v1.NodeCondition":{"description":"NodeCondition contains condition information for a node.","type":"object","required":["type","status"],"properties":{"lastHeartbeatTime":{"description":"Last time we got an update on a given condition.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"lastTransitionTime":{"description":"Last time the condition transit from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"Human readable message indicating details about last transition.","type":"string"},"reason":{"description":"(brief) reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of node condition.","type":"string"}},"title":"io.k8s.api.core.v1.NodeCondition"},"io.k8s.api.core.v1.NodeConfigSource":{"description":"NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil. This API is deprecated since 1.22","type":"object","properties":{"configMap":{"description":"ConfigMap is a reference to a Node's ConfigMap","$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapNodeConfigSource"}},"title":"io.k8s.api.core.v1.NodeConfigSource"},"io.k8s.api.core.v1.NodeConfigStatus":{"description":"NodeConfigStatus describes the status of the config assigned by Node.Spec.ConfigSource.","type":"object","properties":{"active":{"description":"Active reports the checkpointed config the node is actively using. Active will represent either the current version of the Assigned config, or the current LastKnownGood config, depending on whether attempting to use the Assigned config results in an error.","$ref":"#/definitions/io.k8s.api.core.v1.NodeConfigSource"},"assigned":{"description":"Assigned reports the checkpointed config the node will try to use. When Node.Spec.ConfigSource is updated, the node checkpoints the associated config payload to local disk, along with a record indicating intended config. The node refers to this record to choose its config checkpoint, and reports this record in Assigned. Assigned only updates in the status after the record has been checkpointed to disk. When the Kubelet is restarted, it tries to make the Assigned config the Active config by loading and validating the checkpointed payload identified by Assigned.","$ref":"#/definitions/io.k8s.api.core.v1.NodeConfigSource"},"error":{"description":"Error describes any problems reconciling the Spec.ConfigSource to the Active config. Errors may occur, for example, attempting to checkpoint Spec.ConfigSource to the local Assigned record, attempting to checkpoint the payload associated with Spec.ConfigSource, attempting to load or validate the Assigned config, etc. Errors may occur at different points while syncing config. Earlier errors (e.g. download or checkpointing errors) will not result in a rollback to LastKnownGood, and may resolve across Kubelet retries. Later errors (e.g. loading or validating a checkpointed config) will result in a rollback to LastKnownGood. In the latter case, it is usually possible to resolve the error by fixing the config assigned in Spec.ConfigSource. You can find additional information for debugging by searching the error message in the Kubelet log. Error is a human-readable description of the error state; machines can check whether or not Error is empty, but should not rely on the stability of the Error text across Kubelet versions.","type":"string"},"lastKnownGood":{"description":"LastKnownGood reports the checkpointed config the node will fall back to when it encounters an error attempting to use the Assigned config. The Assigned config becomes the LastKnownGood config when the node determines that the Assigned config is stable and correct. This is currently implemented as a 10-minute soak period starting when the local record of Assigned config is updated. If the Assigned config is Active at the end of this period, it becomes the LastKnownGood. Note that if Spec.ConfigSource is reset to nil (use local defaults), the LastKnownGood is also immediately reset to nil, because the local default config is always assumed good. You should not make assumptions about the node's method of determining config stability and correctness, as this may change or become configurable in the future.","$ref":"#/definitions/io.k8s.api.core.v1.NodeConfigSource"}},"title":"io.k8s.api.core.v1.NodeConfigStatus"},"io.k8s.api.core.v1.NodeDaemonEndpoints":{"description":"NodeDaemonEndpoints lists ports opened by daemons running on the Node.","type":"object","properties":{"kubeletEndpoint":{"description":"Endpoint on which Kubelet is listening.","$ref":"#/definitions/io.k8s.api.core.v1.DaemonEndpoint"}},"title":"io.k8s.api.core.v1.NodeDaemonEndpoints"},"io.k8s.api.core.v1.NodeFeatures":{"description":"NodeFeatures describes the set of features implemented by the CRI implementation. The features contained in the NodeFeatures should depend only on the cri implementation independent of runtime handlers.","type":"object","properties":{"supplementalGroupsPolicy":{"description":"SupplementalGroupsPolicy is set to true if the runtime supports SupplementalGroupsPolicy and ContainerUser.","type":"boolean"}},"title":"io.k8s.api.core.v1.NodeFeatures"},"io.k8s.api.core.v1.NodeList":{"description":"NodeList is the whole list of all Nodes which have been registered with master.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of nodes","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"NodeList","version":"v1"}],"title":"io.k8s.api.core.v1.NodeList"},"io.k8s.api.core.v1.NodeRuntimeHandler":{"description":"NodeRuntimeHandler is a set of runtime handler information.","type":"object","properties":{"features":{"description":"Supported features.","$ref":"#/definitions/io.k8s.api.core.v1.NodeRuntimeHandlerFeatures"},"name":{"description":"Runtime handler name. Empty for the default runtime handler.","type":"string"}},"title":"io.k8s.api.core.v1.NodeRuntimeHandler"},"io.k8s.api.core.v1.NodeRuntimeHandlerFeatures":{"description":"NodeRuntimeHandlerFeatures is a set of features implemented by the runtime handler.","type":"object","properties":{"recursiveReadOnlyMounts":{"description":"RecursiveReadOnlyMounts is set to true if the runtime handler supports RecursiveReadOnlyMounts.","type":"boolean"},"userNamespaces":{"description":"UserNamespaces is set to true if the runtime handler supports UserNamespaces, including for volumes.","type":"boolean"}},"title":"io.k8s.api.core.v1.NodeRuntimeHandlerFeatures"},"io.k8s.api.core.v1.NodeSelector":{"description":"A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.","type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"description":"Required. A list of node selector terms. The terms are ORed.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeSelectorTerm"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.NodeSelector"},"io.k8s.api.core.v1.NodeSelectorRequirement":{"description":"A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n\nPossible enum values:\n - `\"DoesNotExist\"`\n - `\"Exists\"`\n - `\"Gt\"`\n - `\"In\"`\n - `\"Lt\"`\n - `\"NotIn\"`","type":"string","enum":["DoesNotExist","Exists","Gt","In","Lt","NotIn"]},"values":{"description":"An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.NodeSelectorRequirement"},"io.k8s.api.core.v1.NodeSelectorTerm":{"description":"A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeSelectorRequirement"},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeSelectorRequirement"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.NodeSelectorTerm"},"io.k8s.api.core.v1.NodeSpec":{"description":"NodeSpec describes the attributes that a node is created with.","type":"object","properties":{"configSource":{"description":"Deprecated: Previously used to specify the source of the node's configuration for the DynamicKubeletConfig feature. This feature is removed.","$ref":"#/definitions/io.k8s.api.core.v1.NodeConfigSource"},"externalID":{"description":"Deprecated. Not all kubelets will set this field. Remove field after 1.13. see: https://issues.k8s.io/61966","type":"string"},"podCIDR":{"description":"PodCIDR represents the pod IP range assigned to the node.","type":"string"},"podCIDRs":{"description":"podCIDRs represents the IP ranges assigned to the node for usage by Pods on that node. If this field is specified, the 0th entry must match the podCIDR field. It may contain at most 1 value for each of IPv4 and IPv6.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set","x-kubernetes-patch-strategy":"merge"},"providerID":{"description":"ID of the node assigned by the cloud provider in the format: <ProviderName>://<ProviderSpecificNodeID>","type":"string"},"taints":{"description":"If specified, the node's taints.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Taint"},"x-kubernetes-list-type":"atomic"},"unschedulable":{"description":"Unschedulable controls node schedulability of new pods. By default, node is schedulable. More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration","type":"boolean"}},"title":"io.k8s.api.core.v1.NodeSpec"},"io.k8s.api.core.v1.NodeStatus":{"description":"NodeStatus is information about the current status of a node.","type":"object","properties":{"addresses":{"description":"List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/reference/node/node-status/#addresses Note: This field is declared as mergeable, but the merge key is not sufficiently unique, which can cause data corruption when it is merged. Callers should instead use a full-replacement patch. See https://pr.k8s.io/79391 for an example. Consumers should assume that addresses can change during the lifetime of a Node. However, there are some exceptions where this may not be possible, such as Pods that inherit a Node's address in its own status or consumers of the downward API (status.hostIP).","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeAddress"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"allocatable":{"description":"Allocatable represents the resources of a node that are available for scheduling. Defaults to Capacity.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"capacity":{"description":"Capacity represents the total resources of a node. More info: https://kubernetes.io/docs/reference/node/node-status/#capacity","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"conditions":{"description":"Conditions is an array of current observed node conditions. More info: https://kubernetes.io/docs/reference/node/node-status/#condition","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"config":{"description":"Status of the config assigned to the node via the dynamic Kubelet config feature.","$ref":"#/definitions/io.k8s.api.core.v1.NodeConfigStatus"},"daemonEndpoints":{"description":"Endpoints of daemons running on the Node.","$ref":"#/definitions/io.k8s.api.core.v1.NodeDaemonEndpoints"},"declaredFeatures":{"description":"DeclaredFeatures represents the features related to feature gates that are declared by the node.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"features":{"description":"Features describes the set of features implemented by the CRI implementation.","$ref":"#/definitions/io.k8s.api.core.v1.NodeFeatures"},"images":{"description":"List of container images on this node","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerImage"},"x-kubernetes-list-type":"atomic"},"nodeInfo":{"description":"Set of ids/uuids to uniquely identify the node. More info: https://kubernetes.io/docs/reference/node/node-status/#info","$ref":"#/definitions/io.k8s.api.core.v1.NodeSystemInfo"},"phase":{"description":"NodePhase is the recently observed lifecycle phase of the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#phase The field is never populated, and now is deprecated.\n\nPossible enum values:\n - `\"Pending\"` means the node has been created/added by the system, but not configured.\n - `\"Running\"` means the node has been configured and has Kubernetes components running.\n - `\"Terminated\"` means the node has been removed from the cluster.","type":"string","enum":["Pending","Running","Terminated"]},"runtimeHandlers":{"description":"The available runtime handlers.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeRuntimeHandler"},"x-kubernetes-list-type":"atomic"},"volumesAttached":{"description":"List of volumes that are attached to the node.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.AttachedVolume"},"x-kubernetes-list-type":"atomic"},"volumesInUse":{"description":"List of attachable volumes in use (mounted) by the node.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.NodeStatus"},"io.k8s.api.core.v1.NodeSwapStatus":{"description":"NodeSwapStatus represents swap memory information.","type":"object","properties":{"capacity":{"description":"Total amount of swap memory in bytes.","type":"integer","format":"int64"}},"title":"io.k8s.api.core.v1.NodeSwapStatus"},"io.k8s.api.core.v1.NodeSystemInfo":{"description":"NodeSystemInfo is a set of ids/uuids to uniquely identify the node.","type":"object","required":["machineID","systemUUID","bootID","kernelVersion","osImage","containerRuntimeVersion","kubeletVersion","kubeProxyVersion","operatingSystem","architecture"],"properties":{"architecture":{"description":"The Architecture reported by the node","type":"string"},"bootID":{"description":"Boot ID reported by the node.","type":"string"},"containerRuntimeVersion":{"description":"ContainerRuntime Version reported by the node through runtime remote API (e.g. containerd://1.4.2).","type":"string"},"kernelVersion":{"description":"Kernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64).","type":"string"},"kubeProxyVersion":{"description":"Deprecated: KubeProxy Version reported by the node.","type":"string"},"kubeletVersion":{"description":"Kubelet Version reported by the node.","type":"string"},"machineID":{"description":"MachineID reported by the node. For unique machine identification in the cluster this field is preferred. Learn more from man(5) machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html","type":"string"},"operatingSystem":{"description":"The Operating System reported by the node","type":"string"},"osImage":{"description":"OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)).","type":"string"},"swap":{"description":"Swap Info reported by the node.","$ref":"#/definitions/io.k8s.api.core.v1.NodeSwapStatus"},"systemUUID":{"description":"SystemUUID reported by the node. For unique machine identification MachineID is preferred. This field is specific to Red Hat hosts https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid","type":"string"}},"title":"io.k8s.api.core.v1.NodeSystemInfo"},"io.k8s.api.core.v1.ObjectFieldSelector":{"description":"ObjectFieldSelector selects an APIVersioned field of an object.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.ObjectFieldSelector"},"io.k8s.api.core.v1.ObjectReference":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: \"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered the event) or if no container name is specified \"spec.containers[2]\" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.","type":"string"},"kind":{"description":"Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.ObjectReference"},"io.k8s.api.core.v1.PersistentVolume":{"description":"PersistentVolume (PV) is a storage resource provisioned by an administrator. It is analogous to a node. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines a specification of a persistent volume owned by the cluster. Provisioned by an administrator. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeSpec"},"status":{"description":"status represents the current information/status for the persistent volume. Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"PersistentVolume","version":"v1"}],"title":"io.k8s.api.core.v1.PersistentVolume"},"io.k8s.api.core.v1.PersistentVolumeClaim":{"description":"PersistentVolumeClaim is a user's request for and claim to a persistent volume","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimSpec"},"status":{"description":"status represents the current information/status of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"PersistentVolumeClaim","version":"v1"}],"title":"io.k8s.api.core.v1.PersistentVolumeClaim"},"io.k8s.api.core.v1.PersistentVolumeClaimCondition":{"description":"PersistentVolumeClaimCondition contains details about state of pvc","type":"object","required":["type","status"],"properties":{"lastProbeTime":{"description":"lastProbeTime is the time we probed the condition.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"lastTransitionTime":{"description":"lastTransitionTime is the time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"message is the human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"reason is a unique, this should be a short, machine understandable string that gives the reason for condition's last transition. If it reports \"Resizing\" that means the underlying persistent volume is being resized.","type":"string"},"status":{"description":"Status is the status of the condition. Can be True, False, Unknown. More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=state%20of%20pvc-,conditions.status,-(string)%2C%20required","type":"string"},"type":{"description":"Type is the type of the condition. More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=set%20to%20%27ResizeStarted%27.-,PersistentVolumeClaimCondition,-contains%20details%20about","type":"string"}},"title":"io.k8s.api.core.v1.PersistentVolumeClaimCondition"},"io.k8s.api.core.v1.PersistentVolumeClaimList":{"description":"PersistentVolumeClaimList is a list of PersistentVolumeClaim items.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of persistent volume claims. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"PersistentVolumeClaimList","version":"v1"}],"title":"io.k8s.api.core.v1.PersistentVolumeClaimList"},"io.k8s.api.core.v1.PersistentVolumeClaimSpec":{"description":"PersistentVolumeClaimSpec describes the common attributes of storage devices and allows a Source for provider-specific attributes","type":"object","properties":{"accessModes":{"description":"accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string","enum":["ReadOnlyMany","ReadWriteMany","ReadWriteOnce","ReadWriteOncePod"]},"x-kubernetes-list-type":"atomic"},"dataSource":{"description":"dataSource field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. If the namespace is specified, then dataSourceRef will not be copied to dataSource.","$ref":"#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference"},"dataSourceRef":{"description":"dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the dataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, when namespace isn't specified in dataSourceRef, both fields (dataSource and dataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. When namespace is specified in dataSourceRef, dataSource isn't set to the same value and must be empty. There are three important differences between dataSource and dataSourceRef: * While dataSource only allows two specific types of objects, dataSourceRef\n  allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n  preserves all values, and generates an error if a disallowed value is\n  specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n  in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","$ref":"#/definitions/io.k8s.api.core.v1.TypedObjectReference"},"resources":{"description":"resources represents the minimum resources the volume should have. Users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources","$ref":"#/definitions/io.k8s.api.core.v1.VolumeResourceRequirements"},"selector":{"description":"selector is a label query over volumes to consider for binding.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"storageClassName":{"description":"storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1","type":"string"},"volumeAttributesClassName":{"description":"volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, it can be changed after the claim is created. An empty string or nil value indicates that no VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, this field can be reset to its previous value (including nil) to cancel the modification. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/","type":"string"},"volumeMode":{"description":"volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.\n\nPossible enum values:\n - `\"Block\"` means the volume will not be formatted with a filesystem and will remain a raw block device.\n - `\"Filesystem\"` means the volume will be or is formatted with a filesystem.","type":"string","enum":["Block","Filesystem"]},"volumeName":{"description":"volumeName is the binding reference to the PersistentVolume backing this claim.","type":"string"}},"title":"io.k8s.api.core.v1.PersistentVolumeClaimSpec"},"io.k8s.api.core.v1.PersistentVolumeClaimStatus":{"description":"PersistentVolumeClaimStatus is the current status of a persistent volume claim.","type":"object","properties":{"accessModes":{"description":"accessModes contains the actual access modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string","enum":["ReadOnlyMany","ReadWriteMany","ReadWriteOnce","ReadWriteOncePod"]},"x-kubernetes-list-type":"atomic"},"allocatedResourceStatuses":{"description":"allocatedResourceStatuses stores status of resource being resized for the given PVC. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.","type":"object","additionalProperties":{"type":"string","enum":["ControllerResizeInProgress","ControllerResizeInfeasible","NodeResizeInProgress","NodeResizeInfeasible","NodeResizePending"]},"x-kubernetes-map-type":"granular"},"allocatedResources":{"description":"allocatedResources tracks the resources allocated to a PVC including its capacity. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"capacity":{"description":"capacity represents the actual resources of the underlying volume.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"conditions":{"description":"conditions is the current Condition of persistent volume claim. If underlying persistent volume is being resized then the Condition will be set to 'Resizing'.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"currentVolumeAttributesClassName":{"description":"currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim","type":"string"},"modifyVolumeStatus":{"description":"ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. When this is unset, there is no ModifyVolume operation being attempted.","$ref":"#/definitions/io.k8s.api.core.v1.ModifyVolumeStatus"},"phase":{"description":"phase represents the current phase of PersistentVolumeClaim.\n\nPossible enum values:\n - `\"Bound\"` used for PersistentVolumeClaims that are bound\n - `\"Lost\"` used for PersistentVolumeClaims that lost their underlying PersistentVolume. The claim was bound to a PersistentVolume and this volume does not exist any longer and all data on it was lost.\n - `\"Pending\"` used for PersistentVolumeClaims that are not yet bound","type":"string","enum":["Bound","Lost","Pending"]}},"title":"io.k8s.api.core.v1.PersistentVolumeClaimStatus"},"io.k8s.api.core.v1.PersistentVolumeClaimTemplate":{"description":"PersistentVolumeClaimTemplate is used to produce PersistentVolumeClaim objects as part of an EphemeralVolumeSource.","type":"object","required":["spec"],"properties":{"metadata":{"description":"May contain labels and annotations that will be copied into the PVC when creating it. No other fields are allowed and will be rejected during validation.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"The specification for the PersistentVolumeClaim. The entire content is copied unchanged into the PVC that gets created from this template. The same fields as in a PersistentVolumeClaim are also valid here.","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimSpec"}},"title":"io.k8s.api.core.v1.PersistentVolumeClaimTemplate"},"io.k8s.api.core.v1.PersistentVolumeClaimVolumeSource":{"description":"PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. This volume finds the bound PV and mounts that volume for the pod. A PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another type of volume that is owned by someone else (the system).","type":"object","required":["claimName"],"properties":{"claimName":{"description":"claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"string"},"readOnly":{"description":"readOnly Will force the ReadOnly setting in VolumeMounts. Default false.","type":"boolean"}},"title":"io.k8s.api.core.v1.PersistentVolumeClaimVolumeSource"},"io.k8s.api.core.v1.PersistentVolumeList":{"description":"PersistentVolumeList is a list of PersistentVolume items.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of persistent volumes. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"PersistentVolumeList","version":"v1"}],"title":"io.k8s.api.core.v1.PersistentVolumeList"},"io.k8s.api.core.v1.PersistentVolumeSpec":{"description":"PersistentVolumeSpec is the specification of a persistent volume.","type":"object","properties":{"accessModes":{"description":"accessModes contains all ways the volume can be mounted. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes","type":"array","items":{"type":"string","enum":["ReadOnlyMany","ReadWriteMany","ReadWriteOnce","ReadWriteOncePod"]},"x-kubernetes-list-type":"atomic"},"awsElasticBlockStore":{"description":"awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","$ref":"#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource"},"azureDisk":{"description":"azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver.","$ref":"#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource"},"azureFile":{"description":"azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver.","$ref":"#/definitions/io.k8s.api.core.v1.AzureFilePersistentVolumeSource"},"capacity":{"description":"capacity is the description of the persistent volume's resources and capacity. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"cephfs":{"description":"cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.","$ref":"#/definitions/io.k8s.api.core.v1.CephFSPersistentVolumeSource"},"cinder":{"description":"cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","$ref":"#/definitions/io.k8s.api.core.v1.CinderPersistentVolumeSource"},"claimRef":{"description":"claimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. Expected to be non-nil when bound. claim.VolumeName is the authoritative bind between PV and PVC. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference","x-kubernetes-map-type":"granular"},"csi":{"description":"csi represents storage that is handled by an external CSI driver.","$ref":"#/definitions/io.k8s.api.core.v1.CSIPersistentVolumeSource"},"fc":{"description":"fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.","$ref":"#/definitions/io.k8s.api.core.v1.FCVolumeSource"},"flexVolume":{"description":"flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.","$ref":"#/definitions/io.k8s.api.core.v1.FlexPersistentVolumeSource"},"flocker":{"description":"flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.","$ref":"#/definitions/io.k8s.api.core.v1.FlockerVolumeSource"},"gcePersistentDisk":{"description":"gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","$ref":"#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource"},"glusterfs":{"description":"glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md","$ref":"#/definitions/io.k8s.api.core.v1.GlusterfsPersistentVolumeSource"},"hostPath":{"description":"hostPath represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","$ref":"#/definitions/io.k8s.api.core.v1.HostPathVolumeSource"},"iscsi":{"description":"iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin.","$ref":"#/definitions/io.k8s.api.core.v1.ISCSIPersistentVolumeSource"},"local":{"description":"local represents directly-attached storage with node affinity","$ref":"#/definitions/io.k8s.api.core.v1.LocalVolumeSource"},"mountOptions":{"description":"mountOptions is the list of mount options, e.g. [\"ro\", \"soft\"]. Not validated - mount will simply fail if one is invalid. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"nfs":{"description":"nfs represents an NFS mount on the host. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","$ref":"#/definitions/io.k8s.api.core.v1.NFSVolumeSource"},"nodeAffinity":{"description":"nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume. This field is mutable if MutablePVNodeAffinity feature gate is enabled.","$ref":"#/definitions/io.k8s.api.core.v1.VolumeNodeAffinity"},"persistentVolumeReclaimPolicy":{"description":"persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim. Valid options are Retain (default for manually created PersistentVolumes), Delete (default for dynamically provisioned PersistentVolumes), and Recycle (deprecated). Recycle must be supported by the volume plugin underlying this PersistentVolume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming\n\nPossible enum values:\n - `\"Delete\"` means the volume will be deleted from Kubernetes on release from its claim. The volume plugin must support Deletion.\n - `\"Recycle\"` means the volume will be recycled back into the pool of unbound persistent volumes on release from its claim. The volume plugin must support Recycling.\n - `\"Retain\"` means the volume will be left in its current phase (Released) for manual reclamation by the administrator. The default policy is Retain.","type":"string","enum":["Delete","Recycle","Retain"]},"photonPersistentDisk":{"description":"photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.","$ref":"#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource"},"portworxVolume":{"description":"portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on.","$ref":"#/definitions/io.k8s.api.core.v1.PortworxVolumeSource"},"quobyte":{"description":"quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.","$ref":"#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource"},"rbd":{"description":"rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md","$ref":"#/definitions/io.k8s.api.core.v1.RBDPersistentVolumeSource"},"scaleIO":{"description":"scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.","$ref":"#/definitions/io.k8s.api.core.v1.ScaleIOPersistentVolumeSource"},"storageClassName":{"description":"storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.","type":"string"},"storageos":{"description":"storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. More info: https://examples.k8s.io/volumes/storageos/README.md","$ref":"#/definitions/io.k8s.api.core.v1.StorageOSPersistentVolumeSource"},"volumeAttributesClassName":{"description":"Name of VolumeAttributesClass to which this persistent volume belongs. Empty value is not allowed. When this field is not set, it indicates that this volume does not belong to any VolumeAttributesClass. This field is mutable and can be changed by the CSI driver after a volume has been updated successfully to a new class. For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound PersistentVolumeClaims during the binding process.","type":"string"},"volumeMode":{"description":"volumeMode defines if a volume is intended to be used with a formatted filesystem or to remain in raw block state. Value of Filesystem is implied when not included in spec.\n\nPossible enum values:\n - `\"Block\"` means the volume will not be formatted with a filesystem and will remain a raw block device.\n - `\"Filesystem\"` means the volume will be or is formatted with a filesystem.","type":"string","enum":["Block","Filesystem"]},"vsphereVolume":{"description":"vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver.","$ref":"#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource"}},"title":"io.k8s.api.core.v1.PersistentVolumeSpec"},"io.k8s.api.core.v1.PersistentVolumeStatus":{"description":"PersistentVolumeStatus is the current status of a persistent volume.","type":"object","properties":{"lastPhaseTransitionTime":{"description":"lastPhaseTransitionTime is the time the phase transitioned from one to another and automatically resets to current time everytime a volume phase transitions.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"message is a human-readable message indicating details about why the volume is in this state.","type":"string"},"phase":{"description":"phase indicates if a volume is available, bound to a claim, or released by a claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase\n\nPossible enum values:\n - `\"Available\"` used for PersistentVolumes that are not yet bound Available volumes are held by the binder and matched to PersistentVolumeClaims\n - `\"Bound\"` used for PersistentVolumes that are bound\n - `\"Failed\"` used for PersistentVolumes that failed to be correctly recycled or deleted after being released from a claim\n - `\"Pending\"` used for PersistentVolumes that are not available\n - `\"Released\"` used for PersistentVolumes where the bound PersistentVolumeClaim was deleted released volumes must be recycled before becoming available again this phase is used by the persistent volume claim binder to signal to another process to reclaim the resource","type":"string","enum":["Available","Bound","Failed","Pending","Released"]},"reason":{"description":"reason is a brief CamelCase string that describes any failure and is meant for machine parsing and tidy display in the CLI.","type":"string"}},"title":"io.k8s.api.core.v1.PersistentVolumeStatus"},"io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource":{"description":"Represents a Photon Controller persistent disk resource.","type":"object","required":["pdID"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"pdID":{"description":"pdID is the ID that identifies Photon Controller persistent disk","type":"string"}},"title":"io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource"},"io.k8s.api.core.v1.Pod":{"description":"Pod is a collection of containers that can run on a host. This resource is created by clients and scheduled onto hosts.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.PodSpec"},"status":{"description":"Most recently observed status of the pod. This data may not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.PodStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Pod","version":"v1"}],"title":"io.k8s.api.core.v1.Pod"},"io.k8s.api.core.v1.PodAffinity":{"description":"Pod affinity is a group of inter pod affinity scheduling rules.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.WeightedPodAffinityTerm"},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodAffinityTerm"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.PodAffinity"},"io.k8s.api.core.v1.PodAffinityTerm":{"description":"Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means \"this pod's namespace\". An empty selector ({}) matches all namespaces.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.","type":"string"}},"title":"io.k8s.api.core.v1.PodAffinityTerm"},"io.k8s.api.core.v1.PodAntiAffinity":{"description":"Pod anti affinity is a group of inter pod anti affinity scheduling rules.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and subtracting \"weight\" from the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.WeightedPodAffinityTerm"},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodAffinityTerm"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.PodAntiAffinity"},"io.k8s.api.core.v1.PodCertificateProjection":{"description":"PodCertificateProjection provides a private key and X.509 certificate in the pod filesystem.","type":"object","required":["signerName","keyType"],"properties":{"certificateChainPath":{"description":"Write the certificate chain at this path in the projected volume.\n\nMost applications should use credentialBundlePath.  When using keyPath and certificateChainPath, your application needs to check that the key and leaf certificate are consistent, because it is possible to read the files mid-rotation.","type":"string"},"credentialBundlePath":{"description":"Write the credential bundle at this path in the projected volume.\n\nThe credential bundle is a single file that contains multiple PEM blocks. The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private key.\n\nThe remaining blocks are CERTIFICATE blocks, containing the issued certificate chain from the signer (leaf and any intermediates).\n\nUsing credentialBundlePath lets your Pod's application code make a single atomic read that retrieves a consistent key and certificate chain.  If you project them to separate files, your application code will need to additionally check that the leaf certificate was issued to the key.","type":"string"},"keyPath":{"description":"Write the key at this path in the projected volume.\n\nMost applications should use credentialBundlePath.  When using keyPath and certificateChainPath, your application needs to check that the key and leaf certificate are consistent, because it is possible to read the files mid-rotation.","type":"string"},"keyType":{"description":"The type of keypair Kubelet will generate for the pod.\n\nValid values are \"RSA3072\", \"RSA4096\", \"ECDSAP256\", \"ECDSAP384\", \"ECDSAP521\", and \"ED25519\".","type":"string"},"maxExpirationSeconds":{"description":"maxExpirationSeconds is the maximum lifetime permitted for the certificate.\n\nKubelet copies this value verbatim into the PodCertificateRequests it generates for this projection.\n\nIf omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver will reject values shorter than 3600 (1 hour).  The maximum allowable value is 7862400 (91 days).\n\nThe signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour).  This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.","type":"integer","format":"int32"},"signerName":{"description":"Kubelet's generated CSRs will be addressed to this signer.","type":"string"},"userAnnotations":{"description":"userAnnotations allow pod authors to pass additional information to the signer implementation.  Kubernetes does not restrict or validate this metadata in any way.\n\nThese values are copied verbatim into the `spec.unverifiedUserAnnotations` field of the PodCertificateRequest objects that Kubelet creates.\n\nEntries are subject to the same validation as object metadata annotations, with the addition that all keys must be domain-prefixed. No restrictions are placed on values, except an overall size limitation on the entire field.\n\nSigners should document the keys and values they support. Signers should deny requests that contain keys they do not recognize.","type":"object","additionalProperties":{"type":"string"}}},"title":"io.k8s.api.core.v1.PodCertificateProjection"},"io.k8s.api.core.v1.PodCondition":{"description":"PodCondition contains details for the current condition of this pod.","type":"object","required":["type","status"],"properties":{"lastProbeTime":{"description":"Last time we probed the condition.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"Human-readable message indicating details about last transition.","type":"string"},"observedGeneration":{"description":"If set, this represents the .metadata.generation that the pod condition was set based upon. The PodObservedGenerationTracking feature gate must be enabled to use this field.","type":"integer","format":"int64"},"reason":{"description":"Unique, one-word, CamelCase reason for the condition's last transition.","type":"string"},"status":{"description":"Status is the status of the condition. Can be True, False, Unknown. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions","type":"string"},"type":{"description":"Type is the type of the condition. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions","type":"string"}},"title":"io.k8s.api.core.v1.PodCondition"},"io.k8s.api.core.v1.PodDNSConfig":{"description":"PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.","type":"object","properties":{"nameservers":{"description":"A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"options":{"description":"A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodDNSConfigOption"},"x-kubernetes-list-type":"atomic"},"searches":{"description":"A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.PodDNSConfig"},"io.k8s.api.core.v1.PodDNSConfigOption":{"description":"PodDNSConfigOption defines DNS resolver options of a pod.","type":"object","properties":{"name":{"description":"Name is this DNS resolver option's name. Required.","type":"string"},"value":{"description":"Value is this DNS resolver option's value.","type":"string"}},"title":"io.k8s.api.core.v1.PodDNSConfigOption"},"io.k8s.api.core.v1.PodExtendedResourceClaimStatus":{"description":"PodExtendedResourceClaimStatus is stored in the PodStatus for the extended resource requests backed by DRA. It stores the generated name for the corresponding special ResourceClaim created by the scheduler.","type":"object","required":["requestMappings","resourceClaimName"],"properties":{"requestMappings":{"description":"RequestMappings identifies the mapping of <container, extended resource backed by DRA> to  device request in the generated ResourceClaim.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerExtendedResourceRequest"},"x-kubernetes-list-type":"atomic"},"resourceClaimName":{"description":"ResourceClaimName is the name of the ResourceClaim that was generated for the Pod in the namespace of the Pod.","type":"string"}},"title":"io.k8s.api.core.v1.PodExtendedResourceClaimStatus"},"io.k8s.api.core.v1.PodIP":{"description":"PodIP represents a single IP address allocated to the pod.","type":"object","required":["ip"],"properties":{"ip":{"description":"IP is the IP address assigned to the pod","type":"string"}},"title":"io.k8s.api.core.v1.PodIP"},"io.k8s.api.core.v1.PodList":{"description":"PodList is a list of Pods.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of pods. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"PodList","version":"v1"}],"title":"io.k8s.api.core.v1.PodList"},"io.k8s.api.core.v1.PodOS":{"description":"PodOS defines the OS parameters of a pod.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the name of the operating system. The currently supported values are linux and windows. Additional value may be defined in future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration Clients should expect to handle additional values and treat unrecognized values in this field as os: null","type":"string"}},"title":"io.k8s.api.core.v1.PodOS"},"io.k8s.api.core.v1.PodReadinessGate":{"description":"PodReadinessGate contains the reference to a pod condition","type":"object","required":["conditionType"],"properties":{"conditionType":{"description":"ConditionType refers to a condition in the pod's condition list with matching type.","type":"string"}},"title":"io.k8s.api.core.v1.PodReadinessGate"},"io.k8s.api.core.v1.PodResourceClaim":{"description":"PodResourceClaim references exactly one ResourceClaim, either directly or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim for the pod.\n\nIt adds a name to it that uniquely identifies the ResourceClaim inside the Pod. Containers that need access to the ResourceClaim reference it with this name.","type":"object","required":["name"],"properties":{"name":{"description":"Name uniquely identifies this resource claim inside the pod. This must be a DNS_LABEL.","type":"string"},"resourceClaimName":{"description":"ResourceClaimName is the name of a ResourceClaim object in the same namespace as this pod.\n\nExactly one of ResourceClaimName and ResourceClaimTemplateName must be set.","type":"string"},"resourceClaimTemplateName":{"description":"ResourceClaimTemplateName is the name of a ResourceClaimTemplate object in the same namespace as this pod.\n\nThe template will be used to create a new ResourceClaim, which will be bound to this pod. When this pod is deleted, the ResourceClaim will also be deleted. The pod name and resource name, along with a generated component, will be used to form a unique name for the ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.\n\nThis field is immutable and no changes will be made to the corresponding ResourceClaim by the control plane after creating the ResourceClaim.\n\nExactly one of ResourceClaimName and ResourceClaimTemplateName must be set.","type":"string"}},"title":"io.k8s.api.core.v1.PodResourceClaim"},"io.k8s.api.core.v1.PodResourceClaimStatus":{"description":"PodResourceClaimStatus is stored in the PodStatus for each PodResourceClaim which references a ResourceClaimTemplate. It stores the generated name for the corresponding ResourceClaim.","type":"object","required":["name"],"properties":{"name":{"description":"Name uniquely identifies this resource claim inside the pod. This must match the name of an entry in pod.spec.resourceClaims, which implies that the string must be a DNS_LABEL.","type":"string"},"resourceClaimName":{"description":"ResourceClaimName is the name of the ResourceClaim that was generated for the Pod in the namespace of the Pod. If this is unset, then generating a ResourceClaim was not necessary. The pod.spec.resourceClaims entry can be ignored in this case.","type":"string"}},"title":"io.k8s.api.core.v1.PodResourceClaimStatus"},"io.k8s.api.core.v1.PodSchedulingGate":{"description":"PodSchedulingGate is associated to a Pod to guard its scheduling.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the scheduling gate. Each scheduling gate must have a unique name field.","type":"string"}},"title":"io.k8s.api.core.v1.PodSchedulingGate"},"io.k8s.api.core.v1.PodSecurityContext":{"description":"PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext.  Field values of container.securityContext take precedence over field values of PodSecurityContext.","type":"object","properties":{"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.","$ref":"#/definitions/io.k8s.api.core.v1.AppArmorProfile"},"fsGroup":{"description":"A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"fsGroupChangePolicy":{"description":"fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used. Note that this field cannot be set when spec.os.name is windows.\n\nPossible enum values:\n - `\"Always\"` indicates that volume's ownership and permissions should always be changed whenever volume is mounted inside a Pod. This the default behavior.\n - `\"OnRootMismatch\"` indicates that volume's ownership and permissions will be changed only when permission and ownership of root directory does not match with expected permissions on the volume. This can help shorten the time it takes to change ownership and permissions of a volume.","type":"string","enum":["Always","OnRootMismatch"]},"runAsGroup":{"description":"The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxChangePolicy":{"description":"seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. Valid values are \"MountOption\" and \"Recursive\".\n\n\"Recursive\" means relabeling of all files on all Pod volumes by the container runtime. This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.\n\n\"MountOption\" mounts all eligible Pod volumes with `-o context` mount option. This requires all Pods that share the same volume to use the same SELinux label. It is not possible to share the same volume among privileged and unprivileged Pods. Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their CSIDriver instance. Other volumes are always re-labelled recursively. \"MountOption\" value is allowed only when SELinuxMount feature gate is enabled.\n\nIf not specified and SELinuxMount feature gate is enabled, \"MountOption\" is used. If not specified and SELinuxMount feature gate is disabled, \"MountOption\" is used for ReadWriteOncePod volumes and \"Recursive\" for all other volumes.\n\nThis field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.\n\nAll Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. Note that this field cannot be set when spec.os.name is windows.","type":"string"},"seLinuxOptions":{"description":"The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.","$ref":"#/definitions/io.k8s.api.core.v1.SELinuxOptions"},"seccompProfile":{"description":"The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.","$ref":"#/definitions/io.k8s.api.core.v1.SeccompProfile"},"supplementalGroups":{"description":"A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified).  If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.","type":"array","items":{"type":"integer","format":"int64"},"x-kubernetes-list-type":"atomic"},"supplementalGroupsPolicy":{"description":"Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.\n\nPossible enum values:\n - `\"Merge\"` means that the container's provided SupplementalGroups and FsGroup (specified in SecurityContext) will be merged with the primary user's groups as defined in the container image (in /etc/group).\n - `\"Strict\"` means that the container's provided SupplementalGroups and FsGroup (specified in SecurityContext) will be used instead of any groups defined in the container image.","type":"string","enum":["Merge","Strict"]},"sysctls":{"description":"Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Sysctl"},"x-kubernetes-list-type":"atomic"},"windowsOptions":{"description":"The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.","$ref":"#/definitions/io.k8s.api.core.v1.WindowsSecurityContextOptions"}},"title":"io.k8s.api.core.v1.PodSecurityContext"},"io.k8s.api.core.v1.PodSpec":{"description":"PodSpec is a description of a pod.","type":"object","required":["containers"],"properties":{"activeDeadlineSeconds":{"description":"Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.","type":"integer","format":"int64"},"affinity":{"description":"If specified, the pod's scheduling constraints","$ref":"#/definitions/io.k8s.api.core.v1.Affinity"},"automountServiceAccountToken":{"description":"AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.","type":"boolean"},"containers":{"description":"List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Container"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"dnsConfig":{"description":"Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.","$ref":"#/definitions/io.k8s.api.core.v1.PodDNSConfig"},"dnsPolicy":{"description":"Set DNS policy for the pod. Defaults to \"ClusterFirst\". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.\n\nPossible enum values:\n - `\"ClusterFirst\"` indicates that the pod should use cluster DNS first unless hostNetwork is true, if it is available, then fall back on the default (as determined by kubelet) DNS settings.\n - `\"ClusterFirstWithHostNet\"` indicates that the pod should use cluster DNS first, if it is available, then fall back on the default (as determined by kubelet) DNS settings.\n - `\"Default\"` indicates that the pod should use the default (as determined by kubelet) DNS settings.\n - `\"None\"` indicates that the pod should use empty DNS settings. DNS parameters such as nameservers and search paths should be defined via DNSConfig.","type":"string","enum":["ClusterFirst","ClusterFirstWithHostNet","Default","None"]},"enableServiceLinks":{"description":"EnableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. Optional: Defaults to true.","type":"boolean"},"ephemeralContainers":{"description":"List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EphemeralContainer"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"hostAliases":{"description":"HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.HostAlias"},"x-kubernetes-list-map-keys":["ip"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"ip","x-kubernetes-patch-strategy":"merge"},"hostIPC":{"description":"Use the host's ipc namespace. Optional: Default to false.","type":"boolean"},"hostNetwork":{"description":"Host networking requested for this pod. Use the host's network namespace. When using HostNetwork you should specify ports so the scheduler is aware. When `hostNetwork` is true, specified `hostPort` fields in port definitions must match `containerPort`, and unspecified `hostPort` fields in port definitions are defaulted to match `containerPort`. Default to false.","type":"boolean"},"hostPID":{"description":"Use the host's pid namespace. Optional: Default to false.","type":"boolean"},"hostUsers":{"description":"Use the host's user namespace. Optional: Default to true. If set to true or not present, the pod will be run in the host user namespace, useful for when the pod needs a feature only available to the host user namespace, such as loading a kernel module with CAP_SYS_MODULE. When set to false, a new userns is created for the pod. Setting false is useful for mitigating container breakout vulnerabilities even allowing users to run their containers as root without actually having root privileges on the host. This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature.","type":"boolean"},"hostname":{"description":"Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value.","type":"string"},"hostnameOverride":{"description":"HostnameOverride specifies an explicit override for the pod's hostname as perceived by the pod. This field only specifies the pod's hostname and does not affect its DNS records. When this field is set to a non-empty string: - It takes precedence over the values set in `hostname` and `subdomain`. - The Pod's hostname will be set to this value. - `setHostnameAsFQDN` must be nil or set to false. - `hostNetwork` must be set to false.\n\nThis field must be a valid DNS subdomain as defined in RFC 1123 and contain at most 64 characters. Requires the HostnameOverride feature gate to be enabled.","type":"string"},"imagePullSecrets":{"description":"ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"initContainers":{"description":"List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Container"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"nodeName":{"description":"NodeName indicates in which node this pod is scheduled. If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName. Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod. This field should not be used to express a desire for the pod to be scheduled on a specific node. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename","type":"string"},"nodeSelector":{"description":"NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/","type":"object","additionalProperties":{"type":"string"},"x-kubernetes-map-type":"atomic"},"os":{"description":"Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.resources - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.securityContext.supplementalGroupsPolicy - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup","$ref":"#/definitions/io.k8s.api.core.v1.PodOS"},"overhead":{"description":"Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"preemptionPolicy":{"description":"PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.\n\nPossible enum values:\n - `\"Never\"` means that pod never preempts other pods with lower priority.\n - `\"PreemptLowerPriority\"` means that pod can preempt other pods with lower priority.","type":"string","enum":["Never","PreemptLowerPriority"]},"priority":{"description":"The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority.","type":"integer","format":"int32"},"priorityClassName":{"description":"If specified, indicates the pod's priority. \"system-node-critical\" and \"system-cluster-critical\" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.","type":"string"},"readinessGates":{"description":"If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to \"True\" More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodReadinessGate"},"x-kubernetes-list-type":"atomic"},"resourceClaims":{"description":"ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.\n\nThis is a stable field but requires that the DynamicResourceAllocation feature gate is enabled.\n\nThis field is immutable.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodResourceClaim"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge,retainKeys"},"resources":{"description":"Resources is the total amount of CPU and Memory resources required by all containers in the pod. It supports specifying Requests and Limits for \"cpu\", \"memory\" and \"hugepages-\" resource names only. ResourceClaims are not supported.\n\nThis field enables fine-grained control over resource allocation for the entire pod, allowing resource sharing among containers in a pod.\n\nThis is an alpha field and requires enabling the PodLevelResources feature gate.","$ref":"#/definitions/io.k8s.api.core.v1.ResourceRequirements"},"restartPolicy":{"description":"Restart policy for all containers within the pod. One of Always, OnFailure, Never. In some contexts, only a subset of those values may be permitted. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy\n\nPossible enum values:\n - `\"Always\"`\n - `\"Never\"`\n - `\"OnFailure\"`","type":"string","enum":["Always","Never","OnFailure"]},"runtimeClassName":{"description":"RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod.  If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the \"legacy\" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class","type":"string"},"schedulerName":{"description":"If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.","type":"string"},"schedulingGates":{"description":"SchedulingGates is an opaque list of values that if specified will block scheduling the pod. If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the scheduler will not attempt to schedule the pod.\n\nSchedulingGates can only be set at pod creation time, and be removed only afterwards.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodSchedulingGate"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"securityContext":{"description":"SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty.  See type description for default values of each field.","$ref":"#/definitions/io.k8s.api.core.v1.PodSecurityContext"},"serviceAccount":{"description":"DeprecatedServiceAccount is a deprecated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.","type":"string"},"serviceAccountName":{"description":"ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/","type":"string"},"setHostnameAsFQDN":{"description":"If true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname). In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters to FQDN. If a pod does not have FQDN, this has no effect. Default to false.","type":"boolean"},"shareProcessNamespace":{"description":"Share a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false.","type":"boolean"},"subdomain":{"description":"If specified, the fully qualified Pod hostname will be \"<hostname>.<subdomain>.<pod namespace>.svc.<cluster domain>\". If not specified, the pod will not have a domainname at all.","type":"string"},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds.","type":"integer","format":"int64"},"tolerations":{"description":"If specified, the pod's tolerations.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Toleration"},"x-kubernetes-list-type":"atomic"},"topologySpreadConstraints":{"description":"TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. All topologySpreadConstraints are ANDed.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.TopologySpreadConstraint"},"x-kubernetes-list-map-keys":["topologyKey","whenUnsatisfiable"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"topologyKey","x-kubernetes-patch-strategy":"merge"},"volumes":{"description":"List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Volume"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge,retainKeys"},"workloadRef":{"description":"WorkloadRef provides a reference to the Workload object that this Pod belongs to. This field is used by the scheduler to identify the PodGroup and apply the correct group scheduling policies. The Workload object referenced by this field may not exist at the time the Pod is created. This field is immutable, but a Workload object with the same name may be recreated with different policies. Doing this during pod scheduling may result in the placement not conforming to the expected policies.","$ref":"#/definitions/io.k8s.api.core.v1.WorkloadReference"}},"title":"io.k8s.api.core.v1.PodSpec"},"io.k8s.api.core.v1.PodStatus":{"description":"PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane.","type":"object","properties":{"allocatedResources":{"description":"AllocatedResources is the total requests allocated for this pod by the node. If pod-level requests are not set, this will be the total requests aggregated across containers in the pod.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"conditions":{"description":"Current service state of pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"containerStatuses":{"description":"Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerStatus"},"x-kubernetes-list-type":"atomic"},"ephemeralContainerStatuses":{"description":"Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerStatus"},"x-kubernetes-list-type":"atomic"},"extendedResourceClaimStatus":{"description":"Status of extended resource claim backed by DRA.","$ref":"#/definitions/io.k8s.api.core.v1.PodExtendedResourceClaimStatus"},"hostIP":{"description":"hostIP holds the IP address of the host to which the pod is assigned. Empty if the pod has not started yet. A pod can be assigned to a node that has a problem in kubelet which in turns mean that HostIP will not be updated even if there is a node is assigned to pod","type":"string"},"hostIPs":{"description":"hostIPs holds the IP addresses allocated to the host. If this field is specified, the first entry must match the hostIP field. This list is empty if the pod has not started yet. A pod can be assigned to a node that has a problem in kubelet which in turns means that HostIPs will not be updated even if there is a node is assigned to this pod.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.HostIP"},"x-kubernetes-list-type":"atomic","x-kubernetes-patch-merge-key":"ip","x-kubernetes-patch-strategy":"merge"},"initContainerStatuses":{"description":"Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerStatus"},"x-kubernetes-list-type":"atomic"},"message":{"description":"A human readable message indicating details about why the pod is in this condition.","type":"string"},"nominatedNodeName":{"description":"nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be scheduled right away as preemption victims receive their graceful termination periods. This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to give the resources on this node to a higher priority pod that is created after preemption. As a result, this field may be different than PodSpec.nodeName when the pod is scheduled.","type":"string"},"observedGeneration":{"description":"If set, this represents the .metadata.generation that the pod status was set based upon. The PodObservedGenerationTracking feature gate must be enabled to use this field.","type":"integer","format":"int64"},"phase":{"description":"The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:\n\nPending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase\n\nPossible enum values:\n - `\"Failed\"` means that all containers in the pod have terminated, and at least one container has terminated in a failure (exited with a non-zero exit code or was stopped by the system).\n - `\"Pending\"` means the pod has been accepted by the system, but one or more of the containers has not been started. This includes time before being bound to a node, as well as time spent pulling images onto the host.\n - `\"Running\"` means the pod has been bound to a node and all of the containers have been started. At least one container is still running or is in the process of being restarted.\n - `\"Succeeded\"` means that all containers in the pod have voluntarily terminated with a container exit code of 0, and the system is not going to restart any of these containers.\n - `\"Unknown\"` means that for some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod. Deprecated: It isn't being set since 2015 (74da3b14b0c0f658b3bb8d2def5094686d0e9095)","type":"string","enum":["Failed","Pending","Running","Succeeded","Unknown"]},"podIP":{"description":"podIP address allocated to the pod. Routable at least within the cluster. Empty if not yet allocated.","type":"string"},"podIPs":{"description":"podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list is empty if no IPs have been allocated yet.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodIP"},"x-kubernetes-list-map-keys":["ip"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"ip","x-kubernetes-patch-strategy":"merge"},"qosClass":{"description":"The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classes\n\nPossible enum values:\n - `\"BestEffort\"` is the BestEffort qos class.\n - `\"Burstable\"` is the Burstable qos class.\n - `\"Guaranteed\"` is the Guaranteed qos class.","type":"string","enum":["BestEffort","Burstable","Guaranteed"]},"reason":{"description":"A brief CamelCase message indicating details about why the pod is in this state. e.g. 'Evicted'","type":"string"},"resize":{"description":"Status of resources resize desired for pod's containers. It is empty if no resources resize is pending. Any changes to container resources will automatically set this to \"Proposed\" Deprecated: Resize status is moved to two pod conditions PodResizePending and PodResizeInProgress. PodResizePending will track states where the spec has been resized, but the Kubelet has not yet allocated the resources. PodResizeInProgress will track in-progress resizes, and should be present whenever allocated resources != acknowledged resources.","type":"string"},"resourceClaimStatuses":{"description":"Status of resource claims.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodResourceClaimStatus"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge,retainKeys"},"resources":{"description":"Resources represents the compute resource requests and limits that have been applied at the pod level if pod-level requests or limits are set in PodSpec.Resources","$ref":"#/definitions/io.k8s.api.core.v1.ResourceRequirements"},"startTime":{"description":"RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"}},"title":"io.k8s.api.core.v1.PodStatus"},"io.k8s.api.core.v1.PodTemplate":{"description":"PodTemplate describes a template for creating copies of a predefined pod.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"template":{"description":"Template defines the pods that will be created from this pod template. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"PodTemplate","version":"v1"}],"title":"io.k8s.api.core.v1.PodTemplate"},"io.k8s.api.core.v1.PodTemplateList":{"description":"PodTemplateList is a list of PodTemplates.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of pod templates","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"PodTemplateList","version":"v1"}],"title":"io.k8s.api.core.v1.PodTemplateList"},"io.k8s.api.core.v1.PodTemplateSpec":{"description":"PodTemplateSpec describes the data a pod should have when created from a template","type":"object","properties":{"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.PodSpec"}},"title":"io.k8s.api.core.v1.PodTemplateSpec"},"io.k8s.api.core.v1.PortStatus":{"description":"PortStatus represents the error condition of a service port","type":"object","required":["port","protocol"],"properties":{"error":{"description":"Error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use\n  CamelCase names\n- cloud provider specific error values must have names that comply with the\n  format foo.example.com/CamelCase.","type":"string"},"port":{"description":"Port is the port number of the service port of which status is recorded here","type":"integer","format":"int32"},"protocol":{"description":"Protocol is the protocol of the service port of which status is recorded here The supported values are: \"TCP\", \"UDP\", \"SCTP\"\n\nPossible enum values:\n - `\"SCTP\"` is the SCTP protocol.\n - `\"TCP\"` is the TCP protocol.\n - `\"UDP\"` is the UDP protocol.","type":"string","enum":["SCTP","TCP","UDP"]}},"title":"io.k8s.api.core.v1.PortStatus"},"io.k8s.api.core.v1.PortworxVolumeSource":{"description":"PortworxVolumeSource represents a Portworx volume resource.","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"volumeID":{"description":"volumeID uniquely identifies a Portworx volume","type":"string"}},"title":"io.k8s.api.core.v1.PortworxVolumeSource"},"io.k8s.api.core.v1.PreferredSchedulingTerm":{"description":"An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).","type":"object","required":["weight","preference"],"properties":{"preference":{"description":"A node selector term, associated with the corresponding weight.","$ref":"#/definitions/io.k8s.api.core.v1.NodeSelectorTerm"},"weight":{"description":"Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.","type":"integer","format":"int32"}},"title":"io.k8s.api.core.v1.PreferredSchedulingTerm"},"io.k8s.api.core.v1.Probe":{"description":"Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic.","type":"object","properties":{"exec":{"description":"Exec specifies a command to execute in the container.","$ref":"#/definitions/io.k8s.api.core.v1.ExecAction"},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies a GRPC HealthCheckRequest.","$ref":"#/definitions/io.k8s.api.core.v1.GRPCAction"},"httpGet":{"description":"HTTPGet specifies an HTTP GET request to perform.","$ref":"#/definitions/io.k8s.api.core.v1.HTTPGetAction"},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies a connection to a TCP port.","$ref":"#/definitions/io.k8s.api.core.v1.TCPSocketAction"},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}},"title":"io.k8s.api.core.v1.Probe"},"io.k8s.api.core.v1.ProjectedVolumeSource":{"description":"Represents a projected volume source","type":"object","properties":{"defaultMode":{"description":"defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"sources":{"description":"sources is the list of volume projections. Each entry in this list handles one source.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.VolumeProjection"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.ProjectedVolumeSource"},"io.k8s.api.core.v1.QuobyteVolumeSource":{"description":"Represents a Quobyte mount that lasts the lifetime of a pod. Quobyte volumes do not support ownership management or SELinux relabeling.","type":"object","required":["registry","volume"],"properties":{"group":{"description":"group to map volume access to Default is no group","type":"string"},"readOnly":{"description":"readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.","type":"boolean"},"registry":{"description":"registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes","type":"string"},"tenant":{"description":"tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin","type":"string"},"user":{"description":"user to map volume access to Defaults to serivceaccount user","type":"string"},"volume":{"description":"volume is a string that references an already created Quobyte volume by name.","type":"string"}},"title":"io.k8s.api.core.v1.QuobyteVolumeSource"},"io.k8s.api.core.v1.RBDPersistentVolumeSource":{"description":"Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.","type":"object","required":["monitors","image"],"properties":{"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd","type":"string"},"image":{"description":"image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"keyring":{"description":"keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"monitors":{"description":"monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"pool":{"description":"pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"boolean"},"secretRef":{"description":"secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"user":{"description":"user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"}},"title":"io.k8s.api.core.v1.RBDPersistentVolumeSource"},"io.k8s.api.core.v1.RBDVolumeSource":{"description":"Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.","type":"object","required":["monitors","image"],"properties":{"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd","type":"string"},"image":{"description":"image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"keyring":{"description":"keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"monitors":{"description":"monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"pool":{"description":"pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"boolean"},"secretRef":{"description":"secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"user":{"description":"user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"}},"title":"io.k8s.api.core.v1.RBDVolumeSource"},"io.k8s.api.core.v1.ReplicationController":{"description":"ReplicationController represents the configuration of a replication controller.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"If the Labels of a ReplicationController are empty, they are defaulted to be the same as the Pod(s) that the replication controller manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the specification of the desired behavior of the replication controller. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.ReplicationControllerSpec"},"status":{"description":"Status is the most recently observed status of the replication controller. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.ReplicationControllerStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ReplicationController","version":"v1"}],"title":"io.k8s.api.core.v1.ReplicationController"},"io.k8s.api.core.v1.ReplicationControllerCondition":{"description":"ReplicationControllerCondition describes the state of a replication controller at a certain point.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"The last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of replication controller condition.","type":"string"}},"title":"io.k8s.api.core.v1.ReplicationControllerCondition"},"io.k8s.api.core.v1.ReplicationControllerList":{"description":"ReplicationControllerList is a collection of replication controllers.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of replication controllers. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ReplicationControllerList","version":"v1"}],"title":"io.k8s.api.core.v1.ReplicationControllerList"},"io.k8s.api.core.v1.ReplicationControllerSpec":{"description":"ReplicationControllerSpec is the specification of a replication controller.","type":"object","properties":{"minReadySeconds":{"description":"Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)","type":"integer","format":"int32"},"replicas":{"description":"Replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller","type":"integer","format":"int32"},"selector":{"description":"Selector is a label query over pods that should match the Replicas count. If Selector is empty, it is defaulted to the labels present on the Pod template. Label keys and values that must match in order to be controlled by this replication controller, if empty defaulted to labels on Pod template. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors","type":"object","additionalProperties":{"type":"string"},"x-kubernetes-map-type":"atomic"},"template":{"description":"Template is the object that describes the pod that will be created if insufficient replicas are detected. This takes precedence over a TemplateRef. The only allowed template.spec.restartPolicy value is \"Always\". More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template","$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec"}},"title":"io.k8s.api.core.v1.ReplicationControllerSpec"},"io.k8s.api.core.v1.ReplicationControllerStatus":{"description":"ReplicationControllerStatus represents the current status of a replication controller.","type":"object","required":["replicas"],"properties":{"availableReplicas":{"description":"The number of available replicas (ready for at least minReadySeconds) for this replication controller.","type":"integer","format":"int32"},"conditions":{"description":"Represents the latest available observations of a replication controller's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationControllerCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"fullyLabeledReplicas":{"description":"The number of pods that have labels matching the labels of the pod template of the replication controller.","type":"integer","format":"int32"},"observedGeneration":{"description":"ObservedGeneration reflects the generation of the most recently observed replication controller.","type":"integer","format":"int64"},"readyReplicas":{"description":"The number of ready replicas for this replication controller.","type":"integer","format":"int32"},"replicas":{"description":"Replicas is the most recently observed number of replicas. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller","type":"integer","format":"int32"}},"title":"io.k8s.api.core.v1.ReplicationControllerStatus"},"io.k8s.api.core.v1.ResourceClaim":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.","type":"string"},"request":{"description":"Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.","type":"string"}},"title":"io.k8s.api.core.v1.ResourceClaim"},"io.k8s.api.core.v1.ResourceFieldSelector":{"description":"ResourceFieldSelector represents container resources (cpu, memory) and their output format","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.ResourceFieldSelector"},"io.k8s.api.core.v1.ResourceHealth":{"description":"ResourceHealth represents the health of a resource. It has the latest device health information. This is a part of KEP https://kep.k8s.io/4680.","type":"object","required":["resourceID"],"properties":{"health":{"description":"Health of the resource. can be one of:\n - Healthy: operates as normal\n - Unhealthy: reported unhealthy. We consider this a temporary health issue\n              since we do not have a mechanism today to distinguish\n              temporary and permanent issues.\n - Unknown: The status cannot be determined.\n            For example, Device Plugin got unregistered and hasn't been re-registered since.\n\nIn future we may want to introduce the PermanentlyUnhealthy Status.","type":"string"},"resourceID":{"description":"ResourceID is the unique identifier of the resource. See the ResourceID type for more information.","type":"string"}},"title":"io.k8s.api.core.v1.ResourceHealth"},"io.k8s.api.core.v1.ResourceQuota":{"description":"ResourceQuota sets aggregate quota restrictions enforced per namespace","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the desired quota. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuotaSpec"},"status":{"description":"Status defines the actual enforced quota and its current usage. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuotaStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ResourceQuota","version":"v1"}],"title":"io.k8s.api.core.v1.ResourceQuota"},"io.k8s.api.core.v1.ResourceQuotaList":{"description":"ResourceQuotaList is a list of ResourceQuota items.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of ResourceQuota objects. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ResourceQuotaList","version":"v1"}],"title":"io.k8s.api.core.v1.ResourceQuotaList"},"io.k8s.api.core.v1.ResourceQuotaSpec":{"description":"ResourceQuotaSpec defines the desired hard limits to enforce for Quota.","type":"object","properties":{"hard":{"description":"hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"scopeSelector":{"description":"scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.","$ref":"#/definitions/io.k8s.api.core.v1.ScopeSelector"},"scopes":{"description":"A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.","type":"array","items":{"type":"string","enum":["BestEffort","CrossNamespacePodAffinity","NotBestEffort","NotTerminating","PriorityClass","Terminating","VolumeAttributesClass"]},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.ResourceQuotaSpec"},"io.k8s.api.core.v1.ResourceQuotaStatus":{"description":"ResourceQuotaStatus defines the enforced hard limits and observed use.","type":"object","properties":{"hard":{"description":"Hard is the set of enforced hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"used":{"description":"Used is the current observed total usage of the resource in the namespace.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}},"title":"io.k8s.api.core.v1.ResourceQuotaStatus"},"io.k8s.api.core.v1.ResourceRequirements":{"description":"ResourceRequirements describes the compute resource requirements.","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.\n\nThis field depends on the DynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceClaim"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"requests":{"description":"Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}},"title":"io.k8s.api.core.v1.ResourceRequirements"},"io.k8s.api.core.v1.ResourceStatus":{"description":"ResourceStatus represents the status of a single resource allocated to a Pod.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the resource. Must be unique within the pod and in case of non-DRA resource, match one of the resources from the pod spec. For DRA resources, the value must be \"claim:<claim_name>/<request>\". When this status is reported about a container, the \"claim_name\" and \"request\" must match one of the claims of this container.","type":"string"},"resources":{"description":"List of unique resources health. Each element in the list contains an unique resource ID and its health. At a minimum, for the lifetime of a Pod, resource ID must uniquely identify the resource allocated to the Pod on the Node. If other Pod on the same Node reports the status with the same resource ID, it must be the same resource they share. See ResourceID type definition for a specific format it has in various use cases.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceHealth"},"x-kubernetes-list-map-keys":["resourceID"],"x-kubernetes-list-type":"map"}},"title":"io.k8s.api.core.v1.ResourceStatus"},"io.k8s.api.core.v1.SELinuxOptions":{"description":"SELinuxOptions are the labels to be applied to the container","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}},"title":"io.k8s.api.core.v1.SELinuxOptions"},"io.k8s.api.core.v1.ScaleIOPersistentVolumeSource":{"description":"ScaleIOPersistentVolumeSource represents a persistent ScaleIO volume","type":"object","required":["gateway","system","secretRef"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Default is \"xfs\"","type":"string"},"gateway":{"description":"gateway is the host address of the ScaleIO API Gateway.","type":"string"},"protectionDomain":{"description":"protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"sslEnabled":{"description":"sslEnabled is the flag to enable/disable SSL communication with Gateway, default false","type":"boolean"},"storageMode":{"description":"storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.","type":"string"},"storagePool":{"description":"storagePool is the ScaleIO Storage Pool associated with the protection domain.","type":"string"},"system":{"description":"system is the name of the storage system as configured in ScaleIO.","type":"string"},"volumeName":{"description":"volumeName is the name of a volume already created in the ScaleIO system that is associated with this volume source.","type":"string"}},"title":"io.k8s.api.core.v1.ScaleIOPersistentVolumeSource"},"io.k8s.api.core.v1.ScaleIOVolumeSource":{"description":"ScaleIOVolumeSource represents a persistent ScaleIO volume","type":"object","required":["gateway","system","secretRef"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Default is \"xfs\".","type":"string"},"gateway":{"description":"gateway is the host address of the ScaleIO API Gateway.","type":"string"},"protectionDomain":{"description":"protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.","type":"string"},"readOnly":{"description":"readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"sslEnabled":{"description":"sslEnabled Flag enable/disable SSL communication with Gateway, default false","type":"boolean"},"storageMode":{"description":"storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.","type":"string"},"storagePool":{"description":"storagePool is the ScaleIO Storage Pool associated with the protection domain.","type":"string"},"system":{"description":"system is the name of the storage system as configured in ScaleIO.","type":"string"},"volumeName":{"description":"volumeName is the name of a volume already created in the ScaleIO system that is associated with this volume source.","type":"string"}},"title":"io.k8s.api.core.v1.ScaleIOVolumeSource"},"io.k8s.api.core.v1.ScopeSelector":{"description":"A scope selector represents the AND of the selectors represented by the scoped-resource selector requirements.","type":"object","properties":{"matchExpressions":{"description":"A list of scope selector requirements by scope of the resources.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ScopedResourceSelectorRequirement"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.ScopeSelector"},"io.k8s.api.core.v1.ScopedResourceSelectorRequirement":{"description":"A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.","type":"object","required":["scopeName","operator"],"properties":{"operator":{"description":"Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.\n\nPossible enum values:\n - `\"DoesNotExist\"`\n - `\"Exists\"`\n - `\"In\"`\n - `\"NotIn\"`","type":"string","enum":["DoesNotExist","Exists","In","NotIn"]},"scopeName":{"description":"The name of the scope that the selector applies to.\n\nPossible enum values:\n - `\"BestEffort\"` Match all pod objects that have best effort quality of service\n - `\"CrossNamespacePodAffinity\"` Match all pod objects that have cross-namespace pod (anti)affinity mentioned.\n - `\"NotBestEffort\"` Match all pod objects that do not have best effort quality of service\n - `\"NotTerminating\"` Match all pod objects where spec.activeDeadlineSeconds is nil\n - `\"PriorityClass\"` Match all pod objects that have priority class mentioned\n - `\"Terminating\"` Match all pod objects where spec.activeDeadlineSeconds >=0\n - `\"VolumeAttributesClass\"` Match all pvc objects that have volume attributes class mentioned.","type":"string","enum":["BestEffort","CrossNamespacePodAffinity","NotBestEffort","NotTerminating","PriorityClass","Terminating","VolumeAttributesClass"]},"values":{"description":"An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.ScopedResourceSelectorRequirement"},"io.k8s.api.core.v1.SeccompProfile":{"description":"SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied. Valid options are:\n\nLocalhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.\n\nPossible enum values:\n - `\"Localhost\"` indicates a profile defined in a file on the node should be used. The file's location relative to <kubelet-root-dir>/seccomp.\n - `\"RuntimeDefault\"` represents the default container runtime seccomp profile.\n - `\"Unconfined\"` indicates no seccomp profile is applied (A.K.A. unconfined).","type":"string","enum":["Localhost","RuntimeDefault","Unconfined"]}},"x-kubernetes-unions":[{"discriminator":"type","fields-to-discriminateBy":{"localhostProfile":"LocalhostProfile"}}],"title":"io.k8s.api.core.v1.SeccompProfile"},"io.k8s.api.core.v1.Secret":{"description":"Secret holds secret data of a certain type. The total bytes of the values in the Data field must be less than MaxSecretSize bytes.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"data":{"description":"Data contains the secret data. Each key must consist of alphanumeric characters, '-', '_' or '.'. The serialized form of the secret data is a base64 encoded string, representing the arbitrary (possibly non-string) data value here. Described in https://tools.ietf.org/html/rfc4648#section-4","type":"object","additionalProperties":{"type":"string","format":"byte"}},"immutable":{"description":"Immutable, if set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.","type":"boolean"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"stringData":{"description":"stringData allows specifying non-binary secret data in string form. It is provided as a write-only input field for convenience. All keys and values are merged into the data field on write, overwriting any existing values. The stringData field is never output when reading from the API.","type":"object","additionalProperties":{"type":"string"}},"type":{"description":"Used to facilitate programmatic handling of secret data. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types","type":"string"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Secret","version":"v1"}],"title":"io.k8s.api.core.v1.Secret"},"io.k8s.api.core.v1.SecretEnvSource":{"description":"SecretEnvSource selects a Secret to populate the environment variables with.\n\nThe contents of the target Secret's Data field will represent the key-value pairs as environment variables.","type":"object","properties":{"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret must be defined","type":"boolean"}},"title":"io.k8s.api.core.v1.SecretEnvSource"},"io.k8s.api.core.v1.SecretKeySelector":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from.  Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.SecretKeySelector"},"io.k8s.api.core.v1.SecretList":{"description":"SecretList is a list of Secret.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of secret objects. More info: https://kubernetes.io/docs/concepts/configuration/secret","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Secret"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"SecretList","version":"v1"}],"title":"io.k8s.api.core.v1.SecretList"},"io.k8s.api.core.v1.SecretProjection":{"description":"Adapts a secret into a projected volume.\n\nThe contents of the target Secret's Data field will be presented in a projected volume as files using the keys in the Data field as the file names. Note that this is identical to a secret volume source without the default mode.","type":"object","properties":{"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.KeyToPath"},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional field specify whether the Secret or its key must be defined","type":"boolean"}},"title":"io.k8s.api.core.v1.SecretProjection"},"io.k8s.api.core.v1.SecretReference":{"description":"SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace","type":"object","properties":{"name":{"description":"name is unique within a namespace to reference a secret resource.","type":"string"},"namespace":{"description":"namespace defines the space within which the secret name must be unique.","type":"string"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.SecretReference"},"io.k8s.api.core.v1.SecretVolumeSource":{"description":"Adapts a Secret into a volume.\n\nThe contents of the target Secret's Data field will be presented in a volume as files using the keys in the Data field as the file names. Secret volumes support ownership management and SELinux relabeling.","type":"object","properties":{"defaultMode":{"description":"defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.KeyToPath"},"x-kubernetes-list-type":"atomic"},"optional":{"description":"optional field specify whether the Secret or its keys must be defined","type":"boolean"},"secretName":{"description":"secretName is the name of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret","type":"string"}},"title":"io.k8s.api.core.v1.SecretVolumeSource"},"io.k8s.api.core.v1.SecurityContext":{"description":"SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext.  When both are set, the values in SecurityContext take precedence.","type":"object","properties":{"allowPrivilegeEscalation":{"description":"AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.","type":"boolean"},"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by this container. If set, this profile overrides the pod's appArmorProfile. Note that this field cannot be set when spec.os.name is windows.","$ref":"#/definitions/io.k8s.api.core.v1.AppArmorProfile"},"capabilities":{"description":"The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.","$ref":"#/definitions/io.k8s.api.core.v1.Capabilities"},"privileged":{"description":"Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.","type":"boolean"},"procMount":{"description":"procMount denotes the type of proc mount to use for the containers. The default value is Default which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.\n\nPossible enum values:\n - `\"Default\"` uses the container runtime defaults for readonly and masked paths for /proc. Most container runtimes mask certain paths in /proc to avoid accidental security exposure of special devices or information.\n - `\"Unmasked\"` bypasses the default masking behavior of the container runtime and ensures the newly created /proc the container stays in tact with no modifications.","type":"string","enum":["Default","Unmasked"]},"readOnlyRootFilesystem":{"description":"Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.","type":"boolean"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.","$ref":"#/definitions/io.k8s.api.core.v1.SELinuxOptions"},"seccompProfile":{"description":"The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.","$ref":"#/definitions/io.k8s.api.core.v1.SeccompProfile"},"windowsOptions":{"description":"The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.","$ref":"#/definitions/io.k8s.api.core.v1.WindowsSecurityContextOptions"}},"title":"io.k8s.api.core.v1.SecurityContext"},"io.k8s.api.core.v1.Service":{"description":"Service is a named abstraction of software service (for example, mysql) consisting of local port (for example 3306) that the proxy listens on, and the selector that determines which pods will answer requests sent through the proxy.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the behavior of a service. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.ServiceSpec"},"status":{"description":"Most recently observed status of the service. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.ServiceStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Service","version":"v1"}],"title":"io.k8s.api.core.v1.Service"},"io.k8s.api.core.v1.ServiceAccount":{"description":"ServiceAccount binds together: * a name, understood by users, and perhaps by peripheral systems, for an identity * a principal that can be authenticated and authorized * a set of secrets","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"automountServiceAccountToken":{"description":"AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted. Can be overridden at the pod level.","type":"boolean"},"imagePullSecrets":{"description":"ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"x-kubernetes-list-type":"atomic"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"secrets":{"description":"Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use. Pods are only limited to this list if this service account has a \"kubernetes.io/enforce-mountable-secrets\" annotation set to \"true\". The \"kubernetes.io/enforce-mountable-secrets\" annotation is deprecated since v1.32. Prefer separate namespaces to isolate access to mounted secrets. This field should not be used to find auto-generated service account token secrets for use outside of pods. Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created. More info: https://kubernetes.io/docs/concepts/configuration/secret","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ServiceAccount","version":"v1"}],"title":"io.k8s.api.core.v1.ServiceAccount"},"io.k8s.api.core.v1.ServiceAccountList":{"description":"ServiceAccountList is a list of ServiceAccount objects","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ServiceAccounts. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccount"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ServiceAccountList","version":"v1"}],"title":"io.k8s.api.core.v1.ServiceAccountList"},"io.k8s.api.core.v1.ServiceAccountTokenProjection":{"description":"ServiceAccountTokenProjection represents a projected service account token volume. This projection can be used to insert a service account token into the pods runtime filesystem for use against APIs (Kubernetes API Server or otherwise).","type":"object","required":["path"],"properties":{"audience":{"description":"audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.","type":"string"},"expirationSeconds":{"description":"expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes.","type":"integer","format":"int64"},"path":{"description":"path is the path relative to the mount point of the file to project the token into.","type":"string"}},"title":"io.k8s.api.core.v1.ServiceAccountTokenProjection"},"io.k8s.api.core.v1.ServiceList":{"description":"ServiceList holds a list of services.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of services","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ServiceList","version":"v1"}],"title":"io.k8s.api.core.v1.ServiceList"},"io.k8s.api.core.v1.ServicePort":{"description":"ServicePort contains information on service's port.","type":"object","required":["port"],"properties":{"appProtocol":{"description":"The application protocol for this port. This is used as a hint for implementations to offer richer behavior for protocols that they understand. This field follows standard Kubernetes label syntax. Valid values are either:\n\n* Un-prefixed protocol names - reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names).\n\n* Kubernetes-defined prefixed names:\n  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-\n  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455\n  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455\n\n* Other protocols should use implementation-defined prefixed names such as mycompany.com/my-custom-protocol.","type":"string"},"name":{"description":"The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.","type":"string"},"nodePort":{"description":"The port on each node on which this service is exposed when type is NodePort or LoadBalancer.  Usually assigned by the system. If a value is specified, in-range, and not in use it will be used, otherwise the operation will fail.  If not specified, a port will be allocated if this Service requires one.  If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type from NodePort to ClusterIP). More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport","type":"integer","format":"int32"},"port":{"description":"The port that will be exposed by this service.","type":"integer","format":"int32"},"protocol":{"description":"The IP protocol for this port. Supports \"TCP\", \"UDP\", and \"SCTP\". Default is TCP.\n\nPossible enum values:\n - `\"SCTP\"` is the SCTP protocol.\n - `\"TCP\"` is the TCP protocol.\n - `\"UDP\"` is the UDP protocol.","type":"string","enum":["SCTP","TCP","UDP"]},"targetPort":{"description":"Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. If this is a string, it will be looked up as a named port in the target Pod's container ports. If this is not specified, the value of the 'port' field is used (an identity map). This field is ignored for services with clusterIP=None, and should be omitted or set equal to the 'port' field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"}},"title":"io.k8s.api.core.v1.ServicePort"},"io.k8s.api.core.v1.ServiceSpec":{"description":"ServiceSpec describes the attributes that a user creates on a service.","type":"object","properties":{"allocateLoadBalancerNodePorts":{"description":"allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is \"true\". It may be set to \"false\" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type.","type":"boolean"},"clusterIP":{"description":"clusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are \"None\", empty string (\"\"), or a valid IP address. Setting this to \"None\" makes a \"headless service\" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies","type":"string"},"clusterIPs":{"description":"ClusterIPs is a list of IP addresses assigned to this service, and are usually assigned randomly.  If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be empty) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are \"None\", empty string (\"\"), or a valid IP address.  Setting this to \"None\" makes a \"headless service\" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName.  If this field is not specified, it will be initialized from the clusterIP field.  If this field is specified, clients must ensure that clusterIPs[0] and clusterIP have the same value.\n\nThis field may hold a maximum of two entries (dual-stack IPs, in either order). These IPs must correspond to the values of the ipFamilies field. Both clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"externalIPs":{"description":"externalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service.  These IPs are not managed by Kubernetes.  The user is responsible for ensuring that traffic arrives at a node with this IP.  A common example is external load-balancers that are not part of the Kubernetes system.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"externalName":{"description":"externalName is the external reference that discovery mechanisms will return as an alias for this service (e.g. a DNS CNAME record). No proxying will be involved.  Must be a lowercase RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) and requires `type` to be \"ExternalName\".","type":"string"},"externalTrafficPolicy":{"description":"externalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service's \"externally-facing\" addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). If set to \"Local\", the proxy will configure the service in a way that assumes that external load balancers will take care of balancing the service traffic between nodes, and so each node will deliver traffic only to the node-local endpoints of the service, without masquerading the client source IP. (Traffic mistakenly sent to a node with no endpoints will be dropped.) The default value, \"Cluster\", uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features). Note that traffic sent to an External IP or LoadBalancer IP from within the cluster will always get \"Cluster\" semantics, but clients sending to a NodePort from within the cluster may need to take traffic policy into account when picking a node.\n\nPossible enum values:\n - `\"Cluster\"` routes traffic to all endpoints.\n - `\"Local\"` preserves the source IP of the traffic by routing only to endpoints on the same node as the traffic was received on (dropping the traffic if there are no local endpoints).","type":"string","enum":["Cluster","Local"]},"healthCheckNodePort":{"description":"healthCheckNodePort specifies the healthcheck nodePort for the service. This only applies when type is set to LoadBalancer and externalTrafficPolicy is set to Local. If a value is specified, is in-range, and is not in use, it will be used.  If not specified, a value will be automatically allocated.  External systems (e.g. load-balancers) can use this port to determine if a given node holds endpoints for this service or not.  If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type). This field cannot be updated once set.","type":"integer","format":"int32"},"internalTrafficPolicy":{"description":"InternalTrafficPolicy describes how nodes distribute service traffic they receive on the ClusterIP. If set to \"Local\", the proxy will assume that pods only want to talk to endpoints of the service on the same node as the pod, dropping the traffic if there are no local endpoints. The default value, \"Cluster\", uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features).\n\nPossible enum values:\n - `\"Cluster\"` routes traffic to all endpoints.\n - `\"Local\"` routes traffic only to endpoints on the same node as the client pod (dropping the traffic if there are no local endpoints).","type":"string","enum":["Cluster","Local"]},"ipFamilies":{"description":"IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. If this field is specified manually, the requested family is available in the cluster, and ipFamilyPolicy allows it, it will be used; otherwise creation of the service will fail. This field is conditionally mutable: it allows for adding or removing a secondary IP family, but it does not allow changing the primary IP family of the Service. Valid values are \"IPv4\" and \"IPv6\".  This field only applies to Services of types ClusterIP, NodePort, and LoadBalancer, and does apply to \"headless\" services. This field will be wiped when updating a Service to type ExternalName.\n\nThis field may hold a maximum of two entries (dual-stack families, in either order).  These families must correspond to the values of the clusterIPs field, if specified. Both clusterIPs and ipFamilies are governed by the ipFamilyPolicy field.","type":"array","items":{"type":"string","enum":["","IPv4","IPv6"]},"x-kubernetes-list-type":"atomic"},"ipFamilyPolicy":{"description":"IPFamilyPolicy represents the dual-stack-ness requested or required by this Service. If there is no value provided, then this field will be set to SingleStack. Services can be \"SingleStack\" (a single IP family), \"PreferDualStack\" (two IP families on dual-stack configured clusters or a single IP family on single-stack clusters), or \"RequireDualStack\" (two IP families on dual-stack configured clusters, otherwise fail). The ipFamilies and clusterIPs fields depend on the value of this field. This field will be wiped when updating a service to type ExternalName.\n\nPossible enum values:\n - `\"PreferDualStack\"` indicates that this service prefers dual-stack when the cluster is configured for dual-stack. If the cluster is not configured for dual-stack the service will be assigned a single IPFamily. If the IPFamily is not set in service.spec.ipFamilies then the service will be assigned the default IPFamily configured on the cluster\n - `\"RequireDualStack\"` indicates that this service requires dual-stack. Using IPFamilyPolicyRequireDualStack on a single stack cluster will result in validation errors. The IPFamilies (and their order) assigned to this service is based on service.spec.ipFamilies. If service.spec.ipFamilies was not provided then it will be assigned according to how they are configured on the cluster. If service.spec.ipFamilies has only one entry then the alternative IPFamily will be added by apiserver\n - `\"SingleStack\"` indicates that this service is required to have a single IPFamily. The IPFamily assigned is based on the default IPFamily used by the cluster or as identified by service.spec.ipFamilies field","type":"string","enum":["PreferDualStack","RequireDualStack","SingleStack"]},"loadBalancerClass":{"description":"loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. \"internal-vip\" or \"example.com/internal-vip\". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.","type":"string"},"loadBalancerIP":{"description":"Only applies to Service Type: LoadBalancer. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. Deprecated: This field was under-specified and its meaning varies across implementations. Using it is non-portable and it may not support dual-stack. Users are encouraged to use implementation-specific annotations when available.","type":"string"},"loadBalancerSourceRanges":{"description":"If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature.\" More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"ports":{"description":"The list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ServicePort"},"x-kubernetes-list-map-keys":["port","protocol"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"port","x-kubernetes-patch-strategy":"merge"},"publishNotReadyAddresses":{"description":"publishNotReadyAddresses indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready. The primary use case for setting this field is for a StatefulSet's Headless Service to propagate SRV DNS records for its Pods for the purpose of peer discovery. The Kubernetes controllers that generate Endpoints and EndpointSlice resources for Services interpret this to mean that all endpoints are considered \"ready\" even if the Pods themselves are not. Agents which consume only Kubernetes generated endpoints through the Endpoints or EndpointSlice resources can safely assume this behavior.","type":"boolean"},"selector":{"description":"Route service traffic to pods with label keys and values matching this selector. If empty or not present, the service is assumed to have an external process managing its endpoints, which Kubernetes will not modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/","type":"object","additionalProperties":{"type":"string"},"x-kubernetes-map-type":"atomic"},"sessionAffinity":{"description":"Supports \"ClientIP\" and \"None\". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies\n\nPossible enum values:\n - `\"ClientIP\"` is the Client IP based.\n - `\"None\"` - no session affinity.","type":"string","enum":["ClientIP","None"]},"sessionAffinityConfig":{"description":"sessionAffinityConfig contains the configurations of session affinity.","$ref":"#/definitions/io.k8s.api.core.v1.SessionAffinityConfig"},"trafficDistribution":{"description":"TrafficDistribution offers a way to express preferences for how traffic is distributed to Service endpoints. Implementations can use this field as a hint, but are not required to guarantee strict adherence. If the field is not set, the implementation will apply its default routing strategy. If set to \"PreferClose\", implementations should prioritize endpoints that are in the same zone.","type":"string"},"type":{"description":"type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. \"ClusterIP\" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object or EndpointSlice objects. If clusterIP is \"None\", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a virtual IP. \"NodePort\" builds on ClusterIP and allocates a port on every node which routes to the same endpoints as the clusterIP. \"LoadBalancer\" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the same endpoints as the clusterIP. \"ExternalName\" aliases this service to the specified externalName. Several other fields do not apply to ExternalName services. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types\n\nPossible enum values:\n - `\"ClusterIP\"` means a service will only be accessible inside the cluster, via the cluster IP.\n - `\"ExternalName\"` means a service consists of only a reference to an external name that kubedns or equivalent will return as a CNAME record, with no exposing or proxying of any pods involved.\n - `\"LoadBalancer\"` means a service will be exposed via an external load balancer (if the cloud provider supports it), in addition to 'NodePort' type.\n - `\"NodePort\"` means a service will be exposed on one port of every node, in addition to 'ClusterIP' type.","type":"string","enum":["ClusterIP","ExternalName","LoadBalancer","NodePort"]}},"title":"io.k8s.api.core.v1.ServiceSpec"},"io.k8s.api.core.v1.ServiceStatus":{"description":"ServiceStatus represents the current status of a service.","type":"object","properties":{"conditions":{"description":"Current service state","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"loadBalancer":{"description":"LoadBalancer contains the current status of the load-balancer, if one is present.","$ref":"#/definitions/io.k8s.api.core.v1.LoadBalancerStatus"}},"title":"io.k8s.api.core.v1.ServiceStatus"},"io.k8s.api.core.v1.SessionAffinityConfig":{"description":"SessionAffinityConfig represents the configurations of session affinity.","type":"object","properties":{"clientIP":{"description":"clientIP contains the configurations of Client IP based session affinity.","$ref":"#/definitions/io.k8s.api.core.v1.ClientIPConfig"}},"title":"io.k8s.api.core.v1.SessionAffinityConfig"},"io.k8s.api.core.v1.SleepAction":{"description":"SleepAction describes a \"sleep\" action.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}},"title":"io.k8s.api.core.v1.SleepAction"},"io.k8s.api.core.v1.StorageOSPersistentVolumeSource":{"description":"Represents a StorageOS persistent volume resource.","type":"object","properties":{"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef specifies the secret to use for obtaining the StorageOS API credentials.  If not specified, default values will be attempted.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"volumeName":{"description":"volumeName is the human-readable name of the StorageOS volume.  Volume names are only unique within a namespace.","type":"string"},"volumeNamespace":{"description":"volumeNamespace specifies the scope of the volume within StorageOS.  If no namespace is specified then the Pod's namespace will be used.  This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to \"default\" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.","type":"string"}},"title":"io.k8s.api.core.v1.StorageOSPersistentVolumeSource"},"io.k8s.api.core.v1.StorageOSVolumeSource":{"description":"Represents a StorageOS persistent volume resource.","type":"object","properties":{"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef specifies the secret to use for obtaining the StorageOS API credentials.  If not specified, default values will be attempted.","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"volumeName":{"description":"volumeName is the human-readable name of the StorageOS volume.  Volume names are only unique within a namespace.","type":"string"},"volumeNamespace":{"description":"volumeNamespace specifies the scope of the volume within StorageOS.  If no namespace is specified then the Pod's namespace will be used.  This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to \"default\" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.","type":"string"}},"title":"io.k8s.api.core.v1.StorageOSVolumeSource"},"io.k8s.api.core.v1.Sysctl":{"description":"Sysctl defines a kernel parameter to be set","type":"object","required":["name","value"],"properties":{"name":{"description":"Name of a property to set","type":"string"},"value":{"description":"Value of a property to set","type":"string"}},"title":"io.k8s.api.core.v1.Sysctl"},"io.k8s.api.core.v1.TCPSocketAction":{"description":"TCPSocketAction describes an action based on opening a socket","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"}},"title":"io.k8s.api.core.v1.TCPSocketAction"},"io.k8s.api.core.v1.Taint":{"description":"The node this Taint is attached to has the \"effect\" on any pod that does not tolerate the Taint.","type":"object","required":["key","effect"],"properties":{"effect":{"description":"Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the taint. Currently enforced by NodeController.\n - `\"NoSchedule\"` Do not allow new pods to schedule onto the node unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running. Enforced by the scheduler.\n - `\"PreferNoSchedule\"` Like TaintEffectNoSchedule, but the scheduler tries not to schedule new pods onto the node, rather than prohibiting new pods from scheduling onto the node entirely. Enforced by the scheduler.","type":"string","enum":["NoExecute","NoSchedule","PreferNoSchedule"]},"key":{"description":"Required. The taint key to be applied to a node.","type":"string"},"timeAdded":{"description":"TimeAdded represents the time at which the taint was added.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"value":{"description":"The taint value corresponding to the taint key.","type":"string"}},"title":"io.k8s.api.core.v1.Taint"},"io.k8s.api.core.v1.Toleration":{"description":"The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.","type":"object","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the taint. Currently enforced by NodeController.\n - `\"NoSchedule\"` Do not allow new pods to schedule onto the node unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running. Enforced by the scheduler.\n - `\"PreferNoSchedule\"` Like TaintEffectNoSchedule, but the scheduler tries not to schedule new pods onto the node, rather than prohibiting new pods from scheduling onto the node entirely. Enforced by the scheduler.","type":"string","enum":["NoExecute","NoSchedule","PreferNoSchedule"]},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value. Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).\n\nPossible enum values:\n - `\"Equal\"`\n - `\"Exists\"`\n - `\"Gt\"`\n - `\"Lt\"`","type":"string","enum":["Equal","Exists","Gt","Lt"]},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.","type":"integer","format":"int64"},"value":{"description":"Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.","type":"string"}},"title":"io.k8s.api.core.v1.Toleration"},"io.k8s.api.core.v1.TopologySelectorLabelRequirement":{"description":"A topology selector requirement is a selector that matches given label. This is an alpha feature and may change in the future.","type":"object","required":["key","values"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"values":{"description":"An array of string values. One value must match the label to be selected. Each entry in Values is ORed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.core.v1.TopologySelectorLabelRequirement"},"io.k8s.api.core.v1.TopologySelectorTerm":{"description":"A topology selector term represents the result of label queries. A null or empty topology selector term matches no objects. The requirements of them are ANDed. It provides a subset of functionality as NodeSelectorTerm. This is an alpha feature and may change in the future.","type":"object","properties":{"matchLabelExpressions":{"description":"A list of topology selector requirements by labels.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.TopologySelectorLabelRequirement"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.TopologySelectorTerm"},"io.k8s.api.core.v1.TopologySpreadConstraint":{"description":"TopologySpreadConstraint specifies how to spread matching pods among the given topology.","type":"object","required":["maxSkew","topologyKey","whenUnsatisfiable"],"properties":{"labelSelector":{"description":"LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. MatchLabelKeys cannot be set when LabelSelector isn't set. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector.\n\nThis is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"maxSkew":{"description":"MaxSkew describes the degree to which pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. The global minimum is the minimum number of matching pods in an eligible domain or zero if the number of eligible domains is less than MinDomains. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 2/2/1: In this case, the global minimum is 1. | zone1 | zone2 | zone3 | |  P P  |  P P  |   P   | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence to topologies that satisfy it. It's a required field. Default value is 1 and 0 is not allowed.","type":"integer","format":"int32"},"minDomains":{"description":"MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats \"global minimum\" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value has no effect on scheduling. As a result, when the number of eligible domains is less than minDomains, scheduler won't schedule more than maxSkew Pods to those domains. If value is nil, the constraint behaves as if MinDomains is equal to 1. Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule.\n\nFor example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | |  P P  |  P P  |  P P  | The number of domains is less than 5(MinDomains), so \"global minimum\" is treated as 0. In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew.","type":"integer","format":"int32"},"nodeAffinityPolicy":{"description":"NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.\n\nIf this value is nil, the behavior is equivalent to the Honor policy.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.","type":"string","enum":["Honor","Ignore"]},"nodeTaintsPolicy":{"description":"NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included.\n\nIf this value is nil, the behavior is equivalent to the Ignore policy.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.","type":"string","enum":["Honor","Ignore"]},"topologyKey":{"description":"TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each <key, value> as a \"bucket\", and try to put balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible domain as a domain whose nodes meet the requirements of nodeAffinityPolicy and nodeTaintsPolicy. e.g. If TopologyKey is \"kubernetes.io/hostname\", each Node is a domain of that topology. And, if TopologyKey is \"topology.kubernetes.io/zone\", each zone is a domain of that topology. It's a required field.","type":"string"},"whenUnsatisfiable":{"description":"WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location,\n  but giving higher precedence to topologies that would help reduce the\n  skew.\nA constraint is considered \"Unsatisfiable\" for an incoming pod if and only if every possible node assignment for that pod would violate \"MaxSkew\" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P |   P   |   P   | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it *more* imbalanced. It's a required field.\n\nPossible enum values:\n - `\"DoNotSchedule\"` instructs the scheduler not to schedule the pod when constraints are not satisfied.\n - `\"ScheduleAnyway\"` instructs the scheduler to schedule the pod even if constraints are not satisfied.","type":"string","enum":["DoNotSchedule","ScheduleAnyway"]}},"title":"io.k8s.api.core.v1.TopologySpreadConstraint"},"io.k8s.api.core.v1.TypedLocalObjectReference":{"description":"TypedLocalObjectReference contains enough information to let you locate the typed referenced object inside the same namespace.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.core.v1.TypedLocalObjectReference"},"io.k8s.api.core.v1.TypedObjectReference":{"description":"TypedObjectReference contains enough information to let you locate the typed referenced object","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"},"namespace":{"description":"Namespace is the namespace of resource being referenced Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"string"}},"title":"io.k8s.api.core.v1.TypedObjectReference"},"io.k8s.api.core.v1.Volume":{"description":"Volume represents a named volume in a pod that may be accessed by any container in the pod.","type":"object","required":["name"],"properties":{"awsElasticBlockStore":{"description":"awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","$ref":"#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource"},"azureDisk":{"description":"azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver.","$ref":"#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource"},"azureFile":{"description":"azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver.","$ref":"#/definitions/io.k8s.api.core.v1.AzureFileVolumeSource"},"cephfs":{"description":"cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.","$ref":"#/definitions/io.k8s.api.core.v1.CephFSVolumeSource"},"cinder":{"description":"cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","$ref":"#/definitions/io.k8s.api.core.v1.CinderVolumeSource"},"configMap":{"description":"configMap represents a configMap that should populate this volume","$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapVolumeSource"},"csi":{"description":"csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.","$ref":"#/definitions/io.k8s.api.core.v1.CSIVolumeSource"},"downwardAPI":{"description":"downwardAPI represents downward API about the pod that should populate this volume","$ref":"#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeSource"},"emptyDir":{"description":"emptyDir represents a temporary directory that shares a pod's lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","$ref":"#/definitions/io.k8s.api.core.v1.EmptyDirVolumeSource"},"ephemeral":{"description":"ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed.\n\nUse this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity\n   tracking are needed,\nc) the storage driver is specified through a storage class, and d) the storage driver supports dynamic volume provisioning through\n   a PersistentVolumeClaim (see EphemeralVolumeSource for more\n   information on the connection between this volume type\n   and PersistentVolumeClaim).\n\nUse PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod.\n\nUse CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information.\n\nA pod can use both types of ephemeral volumes and persistent volumes at the same time.","$ref":"#/definitions/io.k8s.api.core.v1.EphemeralVolumeSource"},"fc":{"description":"fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.","$ref":"#/definitions/io.k8s.api.core.v1.FCVolumeSource"},"flexVolume":{"description":"flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.","$ref":"#/definitions/io.k8s.api.core.v1.FlexVolumeSource"},"flocker":{"description":"flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.","$ref":"#/definitions/io.k8s.api.core.v1.FlockerVolumeSource"},"gcePersistentDisk":{"description":"gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","$ref":"#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource"},"gitRepo":{"description":"gitRepo represents a git repository at a particular revision. Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.","$ref":"#/definitions/io.k8s.api.core.v1.GitRepoVolumeSource"},"glusterfs":{"description":"glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.","$ref":"#/definitions/io.k8s.api.core.v1.GlusterfsVolumeSource"},"hostPath":{"description":"hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","$ref":"#/definitions/io.k8s.api.core.v1.HostPathVolumeSource"},"image":{"description":"image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.","$ref":"#/definitions/io.k8s.api.core.v1.ImageVolumeSource"},"iscsi":{"description":"iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi","$ref":"#/definitions/io.k8s.api.core.v1.ISCSIVolumeSource"},"name":{"description":"name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"nfs":{"description":"nfs represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","$ref":"#/definitions/io.k8s.api.core.v1.NFSVolumeSource"},"persistentVolumeClaim":{"description":"persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimVolumeSource"},"photonPersistentDisk":{"description":"photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.","$ref":"#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource"},"portworxVolume":{"description":"portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on.","$ref":"#/definitions/io.k8s.api.core.v1.PortworxVolumeSource"},"projected":{"description":"projected items for all in one resources secrets, configmaps, and downward API","$ref":"#/definitions/io.k8s.api.core.v1.ProjectedVolumeSource"},"quobyte":{"description":"quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.","$ref":"#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource"},"rbd":{"description":"rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.","$ref":"#/definitions/io.k8s.api.core.v1.RBDVolumeSource"},"scaleIO":{"description":"scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.","$ref":"#/definitions/io.k8s.api.core.v1.ScaleIOVolumeSource"},"secret":{"description":"secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret","$ref":"#/definitions/io.k8s.api.core.v1.SecretVolumeSource"},"storageos":{"description":"storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.","$ref":"#/definitions/io.k8s.api.core.v1.StorageOSVolumeSource"},"vsphereVolume":{"description":"vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver.","$ref":"#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource"}},"title":"io.k8s.api.core.v1.Volume"},"io.k8s.api.core.v1.VolumeDevice":{"description":"volumeDevice describes a mapping of a raw block device within a container.","type":"object","required":["name","devicePath"],"properties":{"devicePath":{"description":"devicePath is the path inside of the container that the device will be mapped to.","type":"string"},"name":{"description":"name must match the name of a persistentVolumeClaim in the pod","type":"string"}},"title":"io.k8s.api.core.v1.VolumeDevice"},"io.k8s.api.core.v1.VolumeMount":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["name","mountPath"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted.  Must not contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified (which defaults to None).\n\nPossible enum values:\n - `\"Bidirectional\"` means that the volume in a container will receive new mounts from the host or other containers, and its own mounts will be propagated from the container to the host or other containers. Note that this mode is recursively applied to all mounts in the volume (\"rshared\" in Linux terminology).\n - `\"HostToContainer\"` means that the volume in a container will receive new mounts from the host or other containers, but filesystems mounted inside the container won't be propagated to the host or other containers. Note that this mode is recursively applied to all mounts in the volume (\"rslave\" in Linux terminology).\n - `\"None\"` means that the volume in a container will not receive new mounts from the host or other containers, and filesystems mounted inside the container won't be propagated to the host or other containers. Note that this mode corresponds to \"private\" in Linux terminology.","type":"string","enum":["Bidirectional","HostToContainer","None"]},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled recursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made recursively read-only.  If this field is set to IfPossible, the mount is made recursively read-only, if it is supported by the container runtime.  If this field is set to Enabled, the mount is made recursively read-only if it is supported by the container runtime, otherwise the pod will not be started and an error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to \"\" (volume's root). SubPathExpr and SubPath are mutually exclusive.","type":"string"}},"title":"io.k8s.api.core.v1.VolumeMount"},"io.k8s.api.core.v1.VolumeMountStatus":{"description":"VolumeMountStatus shows status of volume mounts.","type":"object","required":["name","mountPath"],"properties":{"mountPath":{"description":"MountPath corresponds to the original VolumeMount.","type":"string"},"name":{"description":"Name corresponds to the name of the original VolumeMount.","type":"string"},"readOnly":{"description":"ReadOnly corresponds to the original VolumeMount.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly must be set to Disabled, Enabled, or unspecified (for non-readonly mounts). An IfPossible value in the original VolumeMount must be translated to Disabled or Enabled, depending on the mount result.","type":"string"}},"title":"io.k8s.api.core.v1.VolumeMountStatus"},"io.k8s.api.core.v1.VolumeNodeAffinity":{"description":"VolumeNodeAffinity defines constraints that limit what nodes this volume can be accessed from.","type":"object","properties":{"required":{"description":"required specifies hard node constraints that must be met.","$ref":"#/definitions/io.k8s.api.core.v1.NodeSelector"}},"title":"io.k8s.api.core.v1.VolumeNodeAffinity"},"io.k8s.api.core.v1.VolumeProjection":{"description":"Projection that may be projected along with other supported volume types. Exactly one of these fields must be set.","type":"object","properties":{"clusterTrustBundle":{"description":"ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field of ClusterTrustBundle objects in an auto-updating file.\n\nAlpha, gated by the ClusterTrustBundleProjection feature gate.\n\nClusterTrustBundle objects can either be selected by name, or by the combination of signer name and a label selector.\n\nKubelet performs aggressive normalization of the PEM contents written into the pod filesystem.  Esoteric PEM features such as inter-block comments and block headers are stripped.  Certificates are deduplicated. The ordering of certificates within the file is arbitrary, and Kubelet may change the order over time.","$ref":"#/definitions/io.k8s.api.core.v1.ClusterTrustBundleProjection"},"configMap":{"description":"configMap information about the configMap data to project","$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapProjection"},"downwardAPI":{"description":"downwardAPI information about the downwardAPI data to project","$ref":"#/definitions/io.k8s.api.core.v1.DownwardAPIProjection"},"podCertificate":{"description":"Projects an auto-rotating credential bundle (private key and certificate chain) that the pod can use either as a TLS client or server.\n\nKubelet generates a private key and uses it to send a PodCertificateRequest to the named signer.  Once the signer approves the request and issues a certificate chain, Kubelet writes the key and certificate chain to the pod filesystem.  The pod does not start until certificates have been issued for each podCertificate projected volume source in its spec.\n\nKubelet will begin trying to rotate the certificate at the time indicated by the signer using the PodCertificateRequest.Status.BeginRefreshAt timestamp.\n\nKubelet can write a single file, indicated by the credentialBundlePath field, or separate files, indicated by the keyPath and certificateChainPath fields.\n\nThe credential bundle is a single file in PEM format.  The first PEM entry is the private key (in PKCS#8 format), and the remaining PEM entries are the certificate chain issued by the signer (typically, signers will return their certificate chain in leaf-to-root order).\n\nPrefer using the credential bundle format, since your application code can read it atomically.  If you use keyPath and certificateChainPath, your application must make two separate file reads. If these coincide with a certificate rotation, it is possible that the private key and leaf certificate you read may not correspond to each other.  Your application will need to check for this condition, and re-read until they are consistent.\n\nThe named signer controls chooses the format of the certificate it issues; consult the signer implementation's documentation to learn how to use the certificates it issues.","$ref":"#/definitions/io.k8s.api.core.v1.PodCertificateProjection"},"secret":{"description":"secret information about the secret data to project","$ref":"#/definitions/io.k8s.api.core.v1.SecretProjection"},"serviceAccountToken":{"description":"serviceAccountToken is information about the serviceAccountToken data to project","$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccountTokenProjection"}},"title":"io.k8s.api.core.v1.VolumeProjection"},"io.k8s.api.core.v1.VolumeResourceRequirements":{"description":"VolumeResourceRequirements describes the storage resource requirements for a volume.","type":"object","properties":{"limits":{"description":"Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"requests":{"description":"Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}},"title":"io.k8s.api.core.v1.VolumeResourceRequirements"},"io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource":{"description":"Represents a vSphere volume resource.","type":"object","required":["volumePath"],"properties":{"fsType":{"description":"fsType is filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"storagePolicyID":{"description":"storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.","type":"string"},"storagePolicyName":{"description":"storagePolicyName is the storage Policy Based Management (SPBM) profile name.","type":"string"},"volumePath":{"description":"volumePath is the path that identifies vSphere volume vmdk","type":"string"}},"title":"io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource"},"io.k8s.api.core.v1.WeightedPodAffinityTerm":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["weight","podAffinityTerm"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","$ref":"#/definitions/io.k8s.api.core.v1.PodAffinityTerm"},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm, in the range 1-100.","type":"integer","format":"int32"}},"title":"io.k8s.api.core.v1.WeightedPodAffinityTerm"},"io.k8s.api.core.v1.WindowsSecurityContextOptions":{"description":"WindowsSecurityContextOptions contain Windows-specific options and credentials.","type":"object","properties":{"gmsaCredentialSpec":{"description":"GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.","type":"string"},"gmsaCredentialSpecName":{"description":"GMSACredentialSpecName is the name of the GMSA credential spec to use.","type":"string"},"hostProcess":{"description":"HostProcess determines if a container should be run as a 'Host Process' container. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.","type":"boolean"},"runAsUserName":{"description":"The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.","type":"string"}},"title":"io.k8s.api.core.v1.WindowsSecurityContextOptions"},"io.k8s.api.core.v1.WorkloadReference":{"description":"WorkloadReference identifies the Workload object and PodGroup membership that a Pod belongs to. The scheduler uses this information to apply workload-aware scheduling semantics.","type":"object","required":["name","podGroup"],"properties":{"name":{"description":"Name defines the name of the Workload object this Pod belongs to. Workload must be in the same namespace as the Pod. If it doesn't match any existing Workload, the Pod will remain unschedulable until a Workload object is created and observed by the kube-scheduler. It must be a DNS subdomain.","type":"string"},"podGroup":{"description":"PodGroup is the name of the PodGroup within the Workload that this Pod belongs to. If it doesn't match any existing PodGroup within the Workload, the Pod will remain unschedulable until the Workload object is recreated and observed by the kube-scheduler. It must be a DNS label.","type":"string"},"podGroupReplicaKey":{"description":"PodGroupReplicaKey specifies the replica key of the PodGroup to which this Pod belongs. It is used to distinguish pods belonging to different replicas of the same pod group. The pod group policy is applied separately to each replica. When set, it must be a DNS label.","type":"string"}},"title":"io.k8s.api.core.v1.WorkloadReference"},"io.k8s.api.discovery.v1.Endpoint":{"description":"Endpoint represents a single logical \"backend\" implementing a service.","type":"object","required":["addresses"],"properties":{"addresses":{"description":"addresses of this endpoint. For EndpointSlices of addressType \"IPv4\" or \"IPv6\", the values are IP addresses in canonical form. The syntax and semantics of other addressType values are not defined. This must contain at least one address but no more than 100. EndpointSlices generated by the EndpointSlice controller will always have exactly 1 address. No semantics are defined for additional addresses beyond the first, and kube-proxy does not look at them.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"conditions":{"description":"conditions contains information about the current status of the endpoint.","$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointConditions"},"deprecatedTopology":{"description":"deprecatedTopology contains topology information part of the v1beta1 API. This field is deprecated, and will be removed when the v1beta1 API is removed (no sooner than kubernetes v1.24).  While this field can hold values, it is not writable through the v1 API, and any attempts to write to it will be silently ignored. Topology information can be found in the zone and nodeName fields instead.","type":"object","additionalProperties":{"type":"string"}},"hints":{"description":"hints contains information associated with how an endpoint should be consumed.","$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointHints"},"hostname":{"description":"hostname of this endpoint. This field may be used by consumers of endpoints to distinguish endpoints from each other (e.g. in DNS names). Multiple endpoints which use the same hostname should be considered fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS Label (RFC 1123) validation.","type":"string"},"nodeName":{"description":"nodeName represents the name of the Node hosting this endpoint. This can be used to determine endpoints local to a Node.","type":"string"},"targetRef":{"description":"targetRef is a reference to a Kubernetes object that represents this endpoint.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"zone":{"description":"zone is the name of the Zone this endpoint exists in.","type":"string"}},"title":"io.k8s.api.discovery.v1.Endpoint"},"io.k8s.api.discovery.v1.EndpointConditions":{"description":"EndpointConditions represents the current condition of an endpoint.","type":"object","properties":{"ready":{"description":"ready indicates that this endpoint is ready to receive traffic, according to whatever system is managing the endpoint. A nil value should be interpreted as \"true\". In general, an endpoint should be marked ready if it is serving and not terminating, though this can be overridden in some cases, such as when the associated Service has set the publishNotReadyAddresses flag.","type":"boolean"},"serving":{"description":"serving indicates that this endpoint is able to receive traffic, according to whatever system is managing the endpoint. For endpoints backed by pods, the EndpointSlice controller will mark the endpoint as serving if the pod's Ready condition is True. A nil value should be interpreted as \"true\".","type":"boolean"},"terminating":{"description":"terminating indicates that this endpoint is terminating. A nil value should be interpreted as \"false\".","type":"boolean"}},"title":"io.k8s.api.discovery.v1.EndpointConditions"},"io.k8s.api.discovery.v1.EndpointHints":{"description":"EndpointHints provides hints describing how an endpoint should be consumed.","type":"object","properties":{"forNodes":{"description":"forNodes indicates the node(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.discovery.v1.ForNode"},"x-kubernetes-list-type":"atomic"},"forZones":{"description":"forZones indicates the zone(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.discovery.v1.ForZone"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.discovery.v1.EndpointHints"},"io.k8s.api.discovery.v1.EndpointPort":{"description":"EndpointPort represents a Port used by an EndpointSlice","type":"object","properties":{"appProtocol":{"description":"The application protocol for this port. This is used as a hint for implementations to offer richer behavior for protocols that they understand. This field follows standard Kubernetes label syntax. Valid values are either:\n\n* Un-prefixed protocol names - reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names).\n\n* Kubernetes-defined prefixed names:\n  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-\n  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455\n  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455\n\n* Other protocols should use implementation-defined prefixed names such as mycompany.com/my-custom-protocol.","type":"string"},"name":{"description":"name represents the name of this port. All ports in an EndpointSlice must have a unique name. If the EndpointSlice is derived from a Kubernetes service, this corresponds to the Service.ports[].name. Name must either be an empty string or pass DNS_LABEL validation: * must be no more than 63 characters long. * must consist of lower case alphanumeric characters or '-'. * must start and end with an alphanumeric character. Default is empty string.","type":"string"},"port":{"description":"port represents the port number of the endpoint. If the EndpointSlice is derived from a Kubernetes service, this must be set to the service's target port. EndpointSlices used for other purposes may have a nil port.","type":"integer","format":"int32"},"protocol":{"description":"protocol represents the IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.\n\nPossible enum values:\n - `\"SCTP\"` is the SCTP protocol.\n - `\"TCP\"` is the TCP protocol.\n - `\"UDP\"` is the UDP protocol.","type":"string","enum":["SCTP","TCP","UDP"]}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.discovery.v1.EndpointPort"},"io.k8s.api.discovery.v1.EndpointSlice":{"description":"EndpointSlice represents a set of service endpoints. Most EndpointSlices are created by the EndpointSlice controller to represent the Pods selected by Service objects. For a given service there may be multiple EndpointSlice objects which must be joined to produce the full set of endpoints; you can find all of the slices for a given service by listing EndpointSlices in the service's namespace whose `kubernetes.io/service-name` label contains the service's name.","type":"object","required":["addressType","endpoints"],"properties":{"addressType":{"description":"addressType specifies the type of address carried by this EndpointSlice. All addresses in this slice must be the same type. This field is immutable after creation. The following address types are currently supported: * IPv4: Represents an IPv4 Address. * IPv6: Represents an IPv6 Address. * FQDN: Represents a Fully Qualified Domain Name. (Deprecated) The EndpointSlice controller only generates, and kube-proxy only processes, slices of addressType \"IPv4\" and \"IPv6\". No semantics are defined for the \"FQDN\" type.\n\nPossible enum values:\n - `\"FQDN\"` represents a FQDN.\n - `\"IPv4\"` represents an IPv4 Address.\n - `\"IPv6\"` represents an IPv6 Address.","type":"string","enum":["FQDN","IPv4","IPv6"]},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"endpoints":{"description":"endpoints is a list of unique endpoints in this slice. Each slice may include a maximum of 1000 endpoints.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.discovery.v1.Endpoint"},"x-kubernetes-list-type":"atomic"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"ports":{"description":"ports specifies the list of network ports exposed by each endpoint in this slice. Each port must have a unique name. Each slice may include a maximum of 100 ports. Services always have at least 1 port, so EndpointSlices generated by the EndpointSlice controller will likewise always have at least 1 port. EndpointSlices used for other purposes may have an empty ports list.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointPort"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"discovery.k8s.io","kind":"EndpointSlice","version":"v1"}],"title":"io.k8s.api.discovery.v1.EndpointSlice"},"io.k8s.api.discovery.v1.EndpointSliceList":{"description":"EndpointSliceList represents a list of endpoint slices","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of endpoint slices","type":"array","items":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointSlice"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"discovery.k8s.io","kind":"EndpointSliceList","version":"v1"}],"title":"io.k8s.api.discovery.v1.EndpointSliceList"},"io.k8s.api.discovery.v1.ForNode":{"description":"ForNode provides information about which nodes should consume this endpoint.","type":"object","required":["name"],"properties":{"name":{"description":"name represents the name of the node.","type":"string"}},"title":"io.k8s.api.discovery.v1.ForNode"},"io.k8s.api.discovery.v1.ForZone":{"description":"ForZone provides information about which zones should consume this endpoint.","type":"object","required":["name"],"properties":{"name":{"description":"name represents the name of the zone.","type":"string"}},"title":"io.k8s.api.discovery.v1.ForZone"},"io.k8s.api.events.v1.Event":{"description":"Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system. Events have a limited retention time and triggers and messages may evolve with time.  Event consumers should not rely on the timing of an event with a given Reason reflecting a consistent underlying trigger, or the continued existence of events with that Reason.  Events should be treated as informative, best-effort, supplemental data.","type":"object","required":["eventTime"],"properties":{"action":{"description":"action is what action was taken/failed regarding to the regarding object. It is machine-readable. This field cannot be empty for new Events and it can have at most 128 characters.","type":"string"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"deprecatedCount":{"description":"deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type.","type":"integer","format":"int32"},"deprecatedFirstTimestamp":{"description":"deprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"deprecatedLastTimestamp":{"description":"deprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"deprecatedSource":{"description":"deprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type.","$ref":"#/definitions/io.k8s.api.core.v1.EventSource"},"eventTime":{"description":"eventTime is the time when this Event was first observed. It is required.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"note":{"description":"note is a human-readable description of the status of this operation. Maximal length of the note is 1kB, but libraries should be prepared to handle values up to 64kB.","type":"string"},"reason":{"description":"reason is why the action was taken. It is human-readable. This field cannot be empty for new Events and it can have at most 128 characters.","type":"string"},"regarding":{"description":"regarding contains the object this Event is about. In most cases it's an Object reporting controller implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because it acts on some changes in a ReplicaSet object.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"related":{"description":"related is the optional secondary object for more complex actions. E.g. when regarding object triggers a creation or deletion of related object.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"reportingController":{"description":"reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. This field cannot be empty for new Events.","type":"string"},"reportingInstance":{"description":"reportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`. This field cannot be empty for new Events and it can have at most 128 characters.","type":"string"},"series":{"description":"series is data about the Event series this event represents or nil if it's a singleton Event.","$ref":"#/definitions/io.k8s.api.events.v1.EventSeries"},"type":{"description":"type is the type of this event (Normal, Warning), new types could be added in the future. It is machine-readable. This field cannot be empty for new Events.","type":"string"}},"x-kubernetes-group-version-kind":[{"group":"events.k8s.io","kind":"Event","version":"v1"}],"title":"io.k8s.api.events.v1.Event"},"io.k8s.api.events.v1.EventList":{"description":"EventList is a list of Event objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of schema objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.events.v1.Event"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"events.k8s.io","kind":"EventList","version":"v1"}],"title":"io.k8s.api.events.v1.EventList"},"io.k8s.api.events.v1.EventSeries":{"description":"EventSeries contain information on series of events, i.e. thing that was/is happening continuously for some time. How often to update the EventSeries is up to the event reporters. The default event reporter in \"k8s.io/client-go/tools/events/event_broadcaster.go\" shows how this struct is updated on heartbeats and can guide customized reporter implementations.","type":"object","required":["count","lastObservedTime"],"properties":{"count":{"description":"count is the number of occurrences in this series up to the last heartbeat time.","type":"integer","format":"int32"},"lastObservedTime":{"description":"lastObservedTime is the time when last Event from the series was seen before last heartbeat.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"}},"title":"io.k8s.api.events.v1.EventSeries"},"io.k8s.api.flowcontrol.v1.ExemptPriorityLevelConfiguration":{"description":"ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.","type":"object","properties":{"lendablePercent":{"description":"`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels.  This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )","type":"integer","format":"int32"},"nominalConcurrencyShares":{"description":"`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i)  = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.","type":"integer","format":"int32"}},"title":"io.k8s.api.flowcontrol.v1.ExemptPriorityLevelConfiguration"},"io.k8s.api.flowcontrol.v1.FlowDistinguisherMethod":{"description":"FlowDistinguisherMethod specifies the method of a flow distinguisher.","type":"object","required":["type"],"properties":{"type":{"description":"`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.","type":"string"}},"title":"io.k8s.api.flowcontrol.v1.FlowDistinguisherMethod"},"io.k8s.api.flowcontrol.v1.FlowSchema":{"description":"FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a \"flow distinguisher\".","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchemaSpec"},"status":{"description":"`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchemaStatus"}},"x-kubernetes-group-version-kind":[{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1"}],"title":"io.k8s.api.flowcontrol.v1.FlowSchema"},"io.k8s.api.flowcontrol.v1.FlowSchemaCondition":{"description":"FlowSchemaCondition describes conditions for a FlowSchema.","type":"object","properties":{"lastTransitionTime":{"description":"`lastTransitionTime` is the last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"`message` is a human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"`reason` is a unique, one-word, CamelCase reason for the condition's last transition.","type":"string"},"status":{"description":"`status` is the status of the condition. Can be True, False, Unknown. Required.","type":"string"},"type":{"description":"`type` is the type of the condition. Required.","type":"string"}},"title":"io.k8s.api.flowcontrol.v1.FlowSchemaCondition"},"io.k8s.api.flowcontrol.v1.FlowSchemaList":{"description":"FlowSchemaList is a list of FlowSchema objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"`items` is a list of FlowSchemas.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchemaList","version":"v1"}],"title":"io.k8s.api.flowcontrol.v1.FlowSchemaList"},"io.k8s.api.flowcontrol.v1.FlowSchemaSpec":{"description":"FlowSchemaSpec describes how the FlowSchema's specification looks like.","type":"object","required":["priorityLevelConfiguration"],"properties":{"distinguisherMethod":{"description":"`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowDistinguisherMethod"},"matchingPrecedence":{"description":"`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence.  Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.","type":"integer","format":"int32"},"priorityLevelConfiguration":{"description":"`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationReference"},"rules":{"description":"`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PolicyRulesWithSubjects"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.flowcontrol.v1.FlowSchemaSpec"},"io.k8s.api.flowcontrol.v1.FlowSchemaStatus":{"description":"FlowSchemaStatus represents the current state of a FlowSchema.","type":"object","properties":{"conditions":{"description":"`conditions` is a list of the current states of FlowSchema.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchemaCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"}},"title":"io.k8s.api.flowcontrol.v1.FlowSchemaStatus"},"io.k8s.api.flowcontrol.v1.GroupSubject":{"description":"GroupSubject holds detailed information for group-kind subject.","type":"object","required":["name"],"properties":{"name":{"description":"name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.","type":"string"}},"title":"io.k8s.api.flowcontrol.v1.GroupSubject"},"io.k8s.api.flowcontrol.v1.LimitResponse":{"description":"LimitResponse defines how to handle requests that can not be executed right now.","type":"object","required":["type"],"properties":{"queuing":{"description":"`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.QueuingConfiguration"},"type":{"description":"`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.","type":"string"}},"x-kubernetes-unions":[{"discriminator":"type","fields-to-discriminateBy":{"queuing":"Queuing"}}],"title":"io.k8s.api.flowcontrol.v1.LimitResponse"},"io.k8s.api.flowcontrol.v1.LimitedPriorityLevelConfiguration":{"description":"LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n  - How are requests for this priority level limited?\n  - What should be done with requests that exceed the limit?","type":"object","properties":{"borrowingLimitPercent":{"description":"`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.","type":"integer","format":"int32"},"lendablePercent":{"description":"`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )","type":"integer","format":"int32"},"limitResponse":{"description":"`limitResponse` indicates what to do with requests that can not be executed right now","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.LimitResponse"},"nominalConcurrencyShares":{"description":"`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i)  = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level.\n\nIf not specified, this field defaults to a value of 30.\n\nSetting this field to zero supports the construction of a \"jail\" for this priority level that is used to hold some request(s)","type":"integer","format":"int32"}},"title":"io.k8s.api.flowcontrol.v1.LimitedPriorityLevelConfiguration"},"io.k8s.api.flowcontrol.v1.NonResourcePolicyRule":{"description":"NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.","type":"object","required":["verbs","nonResourceURLs"],"properties":{"nonResourceURLs":{"description":"`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n  - \"/healthz\" is legal\n  - \"/hea*\" is illegal\n  - \"/hea\" is legal but matches nothing\n  - \"/hea/*\" also matches nothing\n  - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"verbs":{"description":"`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"}},"title":"io.k8s.api.flowcontrol.v1.NonResourcePolicyRule"},"io.k8s.api.flowcontrol.v1.PolicyRulesWithSubjects":{"description":"PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.","type":"object","required":["subjects"],"properties":{"nonResourceRules":{"description":"`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.NonResourcePolicyRule"},"x-kubernetes-list-type":"atomic"},"resourceRules":{"description":"`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.ResourcePolicyRule"},"x-kubernetes-list-type":"atomic"},"subjects":{"description":"subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.Subject"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.flowcontrol.v1.PolicyRulesWithSubjects"},"io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration":{"description":"PriorityLevelConfiguration represents the configuration of a priority level.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationSpec"},"status":{"description":"`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationStatus"}},"x-kubernetes-group-version-kind":[{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1"}],"title":"io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"},"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationCondition":{"description":"PriorityLevelConfigurationCondition defines the condition of priority level.","type":"object","properties":{"lastTransitionTime":{"description":"`lastTransitionTime` is the last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"`message` is a human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"`reason` is a unique, one-word, CamelCase reason for the condition's last transition.","type":"string"},"status":{"description":"`status` is the status of the condition. Can be True, False, Unknown. Required.","type":"string"},"type":{"description":"`type` is the type of the condition. Required.","type":"string"}},"title":"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationCondition"},"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationList":{"description":"PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"`items` is a list of request-priorities.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfigurationList","version":"v1"}],"title":"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationList"},"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationReference":{"description":"PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.","type":"object","required":["name"],"properties":{"name":{"description":"`name` is the name of the priority level configuration being referenced Required.","type":"string"}},"title":"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationReference"},"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationSpec":{"description":"PriorityLevelConfigurationSpec specifies the configuration of a priority level.","type":"object","required":["type"],"properties":{"exempt":{"description":"`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.ExemptPriorityLevelConfiguration"},"limited":{"description":"`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.LimitedPriorityLevelConfiguration"},"type":{"description":"`type` indicates whether this priority level is subject to limitation on request execution.  A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels.  A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.","type":"string"}},"x-kubernetes-unions":[{"discriminator":"type","fields-to-discriminateBy":{"exempt":"Exempt","limited":"Limited"}}],"title":"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationSpec"},"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationStatus":{"description":"PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".","type":"object","properties":{"conditions":{"description":"`conditions` is the current state of \"request-priority\".","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"}},"title":"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationStatus"},"io.k8s.api.flowcontrol.v1.QueuingConfiguration":{"description":"QueuingConfiguration holds the configuration parameters for queuing","type":"object","properties":{"handSize":{"description":"`handSize` is a small positive number that configures the shuffle sharding of requests into queues.  When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here.  The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues).  See the user-facing documentation for more extensive guidance on setting this field.  This field has a default value of 8.","type":"integer","format":"int32"},"queueLengthLimit":{"description":"`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected.  This value must be positive.  If not specified, it will be defaulted to 50.","type":"integer","format":"int32"},"queues":{"description":"`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive.  Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant.  This field has a default value of 64.","type":"integer","format":"int32"}},"title":"io.k8s.api.flowcontrol.v1.QueuingConfiguration"},"io.k8s.api.flowcontrol.v1.ResourcePolicyRule":{"description":"ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.","type":"object","required":["verbs","apiGroups","resources"],"properties":{"apiGroups":{"description":"`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"clusterScope":{"description":"`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.","type":"boolean"},"namespaces":{"description":"`namespaces` is a list of target namespaces that restricts matches.  A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\".  Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"resources":{"description":"`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource.  For example, [ \"services\", \"nodes/status\" ].  This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"verbs":{"description":"`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"}},"title":"io.k8s.api.flowcontrol.v1.ResourcePolicyRule"},"io.k8s.api.flowcontrol.v1.ServiceAccountSubject":{"description":"ServiceAccountSubject holds detailed information for service-account-kind subject.","type":"object","required":["namespace","name"],"properties":{"name":{"description":"`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.","type":"string"},"namespace":{"description":"`namespace` is the namespace of matching ServiceAccount objects. Required.","type":"string"}},"title":"io.k8s.api.flowcontrol.v1.ServiceAccountSubject"},"io.k8s.api.flowcontrol.v1.Subject":{"description":"Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.","type":"object","required":["kind"],"properties":{"group":{"description":"`group` matches based on user group name.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.GroupSubject"},"kind":{"description":"`kind` indicates which one of the other fields is non-empty. Required","type":"string"},"serviceAccount":{"description":"`serviceAccount` matches ServiceAccounts.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.ServiceAccountSubject"},"user":{"description":"`user` matches based on username.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.UserSubject"}},"x-kubernetes-unions":[{"discriminator":"kind","fields-to-discriminateBy":{"group":"Group","serviceAccount":"ServiceAccount","user":"User"}}],"title":"io.k8s.api.flowcontrol.v1.Subject"},"io.k8s.api.flowcontrol.v1.UserSubject":{"description":"UserSubject holds detailed information for user-kind subject.","type":"object","required":["name"],"properties":{"name":{"description":"`name` is the username that matches, or \"*\" to match all usernames. Required.","type":"string"}},"title":"io.k8s.api.flowcontrol.v1.UserSubject"},"io.k8s.api.networking.v1.HTTPIngressPath":{"description":"HTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.","type":"object","required":["pathType","backend"],"properties":{"backend":{"description":"backend defines the referenced service endpoint to which the traffic will be forwarded to.","$ref":"#/definitions/io.k8s.api.networking.v1.IngressBackend"},"path":{"description":"path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value \"Exact\" or \"Prefix\".","type":"string"},"pathType":{"description":"pathType determines the interpretation of the path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is\n  done on a path element by element basis. A path element refers is the\n  list of labels in the path split by the '/' separator. A request is a\n  match for path p if every p is an element-wise prefix of p of the\n  request path. Note that if the last element of the path is a substring\n  of the last element in request path, it is not a match (e.g. /foo/bar\n  matches /foo/bar/baz, but does not match /foo/barbaz).\n* ImplementationSpecific: Interpretation of the Path matching is up to\n  the IngressClass. Implementations can treat this as a separate PathType\n  or treat it identically to Prefix or Exact path types.\nImplementations are required to support all path types.\n\nPossible enum values:\n - `\"Exact\"` matches the URL path exactly and with case sensitivity.\n - `\"ImplementationSpecific\"` matching is up to the IngressClass. Implementations can treat this as a separate PathType or treat it identically to Prefix or Exact path types.\n - `\"Prefix\"` matches based on a URL path prefix split by '/'. Matching is case sensitive and done on a path element by element basis. A path element refers to the list of labels in the path split by the '/' separator. A request is a match for path p if every p is an element-wise prefix of p of the request path. Note that if the last element of the path is a substring of the last element in request path, it is not a match (e.g. /foo/bar matches /foo/bar/baz, but does not match /foo/barbaz). If multiple matching paths exist in an Ingress spec, the longest matching path is given priority. Examples: - /foo/bar does not match requests to /foo/barbaz - /foo/bar matches request to /foo/bar and /foo/bar/baz - /foo and /foo/ both match requests to /foo and /foo/. If both paths are present in an Ingress spec, the longest matching path (/foo/) is given priority.","type":"string","enum":["Exact","ImplementationSpecific","Prefix"]}},"title":"io.k8s.api.networking.v1.HTTPIngressPath"},"io.k8s.api.networking.v1.HTTPIngressRuleValue":{"description":"HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http://<host>/<path>?<searchpart> -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.","type":"object","required":["paths"],"properties":{"paths":{"description":"paths is a collection of paths that map requests to backends.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.HTTPIngressPath"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.networking.v1.HTTPIngressRuleValue"},"io.k8s.api.networking.v1.IPAddress":{"description":"IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs that operate on IP addresses. The object is used by the Service core API for allocation of IP addresses. An IP address can be represented in different formats, to guarantee the uniqueness of the IP, the name of the object is the IP address in canonical format, four decimal digits separated by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6. Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 Invalid: 10.01.2.3 or 2001:db8:0:0:0::1","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec is the desired state of the IPAddress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.networking.v1.IPAddressSpec"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"IPAddress","version":"v1"}],"title":"io.k8s.api.networking.v1.IPAddress"},"io.k8s.api.networking.v1.IPAddressList":{"description":"IPAddressList contains a list of IPAddress.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of IPAddresses.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.IPAddress"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"IPAddressList","version":"v1"}],"title":"io.k8s.api.networking.v1.IPAddressList"},"io.k8s.api.networking.v1.IPAddressSpec":{"description":"IPAddressSpec describe the attributes in an IP Address.","type":"object","required":["parentRef"],"properties":{"parentRef":{"description":"ParentRef references the resource that an IPAddress is attached to. An IPAddress must reference a parent object.","$ref":"#/definitions/io.k8s.api.networking.v1.ParentReference"}},"title":"io.k8s.api.networking.v1.IPAddressSpec"},"io.k8s.api.networking.v1.IPBlock":{"description":"IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.","type":"object","required":["cidr"],"properties":{"cidr":{"description":"cidr is a string representing the IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"","type":"string"},"except":{"description":"except is a slice of CIDRs that should not be included within an IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\" Except values will be rejected if they are outside the cidr range","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.networking.v1.IPBlock"},"io.k8s.api.networking.v1.Ingress":{"description":"Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.networking.v1.IngressSpec"},"status":{"description":"status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.networking.v1.IngressStatus"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}],"title":"io.k8s.api.networking.v1.Ingress"},"io.k8s.api.networking.v1.IngressBackend":{"description":"IngressBackend describes all endpoints for a given service and port.","type":"object","properties":{"resource":{"description":"resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with \"Service\".","$ref":"#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference"},"service":{"description":"service references a service as a backend. This is a mutually exclusive setting with \"Resource\".","$ref":"#/definitions/io.k8s.api.networking.v1.IngressServiceBackend"}},"title":"io.k8s.api.networking.v1.IngressBackend"},"io.k8s.api.networking.v1.IngressClass":{"description":"IngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.networking.v1.IngressClassSpec"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"IngressClass","version":"v1"}],"title":"io.k8s.api.networking.v1.IngressClass"},"io.k8s.api.networking.v1.IngressClassList":{"description":"IngressClassList is a collection of IngressClasses.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of IngressClasses.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClass"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"IngressClassList","version":"v1"}],"title":"io.k8s.api.networking.v1.IngressClassList"},"io.k8s.api.networking.v1.IngressClassParametersReference":{"description":"IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"apiGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"kind is the type of resource being referenced.","type":"string"},"name":{"description":"name is the name of resource being referenced.","type":"string"},"namespace":{"description":"namespace is the namespace of the resource being referenced. This field is required when scope is set to \"Namespace\" and must be unset when scope is set to \"Cluster\".","type":"string"},"scope":{"description":"scope represents if this refers to a cluster or namespace scoped resource. This may be set to \"Cluster\" (default) or \"Namespace\".","type":"string"}},"title":"io.k8s.api.networking.v1.IngressClassParametersReference"},"io.k8s.api.networking.v1.IngressClassSpec":{"description":"IngressClassSpec provides information about the class of an Ingress.","type":"object","properties":{"controller":{"description":"controller refers to the name of the controller that should handle this class. This allows for different \"flavors\" that are controlled by the same controller. For example, you may have different parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. \"acme.io/ingress-controller\". This field is immutable.","type":"string"},"parameters":{"description":"parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters.","$ref":"#/definitions/io.k8s.api.networking.v1.IngressClassParametersReference"}},"title":"io.k8s.api.networking.v1.IngressClassSpec"},"io.k8s.api.networking.v1.IngressList":{"description":"IngressList is a collection of Ingress.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of Ingress.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"IngressList","version":"v1"}],"title":"io.k8s.api.networking.v1.IngressList"},"io.k8s.api.networking.v1.IngressLoadBalancerIngress":{"description":"IngressLoadBalancerIngress represents the status of a load-balancer ingress point.","type":"object","properties":{"hostname":{"description":"hostname is set for load-balancer ingress points that are DNS based.","type":"string"},"ip":{"description":"ip is set for load-balancer ingress points that are IP based.","type":"string"},"ports":{"description":"ports provides information about the ports exposed by this LoadBalancer.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressPortStatus"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.networking.v1.IngressLoadBalancerIngress"},"io.k8s.api.networking.v1.IngressLoadBalancerStatus":{"description":"IngressLoadBalancerStatus represents the status of a load-balancer.","type":"object","properties":{"ingress":{"description":"ingress is a list containing ingress points for the load-balancer.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerIngress"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.networking.v1.IngressLoadBalancerStatus"},"io.k8s.api.networking.v1.IngressPortStatus":{"description":"IngressPortStatus represents the error condition of a service port","type":"object","required":["port","protocol"],"properties":{"error":{"description":"error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use\n  CamelCase names\n- cloud provider specific error values must have names that comply with the\n  format foo.example.com/CamelCase.","type":"string"},"port":{"description":"port is the port number of the ingress port.","type":"integer","format":"int32"},"protocol":{"description":"protocol is the protocol of the ingress port. The supported values are: \"TCP\", \"UDP\", \"SCTP\"\n\nPossible enum values:\n - `\"SCTP\"` is the SCTP protocol.\n - `\"TCP\"` is the TCP protocol.\n - `\"UDP\"` is the UDP protocol.","type":"string","enum":["SCTP","TCP","UDP"]}},"title":"io.k8s.api.networking.v1.IngressPortStatus"},"io.k8s.api.networking.v1.IngressRule":{"description":"IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.","type":"object","properties":{"host":{"description":"host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n   the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t  Currently the port of an Ingress is implicitly :80 for http and\n\t  :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nhost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.","type":"string"},"http":{"$ref":"#/definitions/io.k8s.api.networking.v1.HTTPIngressRuleValue"}},"title":"io.k8s.api.networking.v1.IngressRule"},"io.k8s.api.networking.v1.IngressServiceBackend":{"description":"IngressServiceBackend references a Kubernetes Service as a Backend.","type":"object","required":["name"],"properties":{"name":{"description":"name is the referenced service. The service must exist in the same namespace as the Ingress object.","type":"string"},"port":{"description":"port of the referenced service. A port name or port number is required for a IngressServiceBackend.","$ref":"#/definitions/io.k8s.api.networking.v1.ServiceBackendPort"}},"title":"io.k8s.api.networking.v1.IngressServiceBackend"},"io.k8s.api.networking.v1.IngressSpec":{"description":"IngressSpec describes the Ingress the user wishes to exist.","type":"object","properties":{"defaultBackend":{"description":"defaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller.","$ref":"#/definitions/io.k8s.api.networking.v1.IngressBackend"},"ingressClassName":{"description":"ingressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.","type":"string"},"rules":{"description":"rules is a list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressRule"},"x-kubernetes-list-type":"atomic"},"tls":{"description":"tls represents the TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressTLS"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.networking.v1.IngressSpec"},"io.k8s.api.networking.v1.IngressStatus":{"description":"IngressStatus describe the current state of the Ingress.","type":"object","properties":{"loadBalancer":{"description":"loadBalancer contains the current status of the load-balancer.","$ref":"#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerStatus"}},"title":"io.k8s.api.networking.v1.IngressStatus"},"io.k8s.api.networking.v1.IngressTLS":{"description":"IngressTLS describes the transport layer security associated with an ingress.","type":"object","properties":{"hosts":{"description":"hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"secretName":{"description":"secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the \"Host\" header is used for routing.","type":"string"}},"title":"io.k8s.api.networking.v1.IngressTLS"},"io.k8s.api.networking.v1.NetworkPolicy":{"description":"NetworkPolicy describes what network traffic is allowed for a set of Pods","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec represents the specification of the desired behavior for this NetworkPolicy.","$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"NetworkPolicy","version":"v1"}],"title":"io.k8s.api.networking.v1.NetworkPolicy"},"io.k8s.api.networking.v1.NetworkPolicyEgressRule":{"description":"NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8","type":"object","properties":{"ports":{"description":"ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort"},"x-kubernetes-list-type":"atomic"},"to":{"description":"to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.networking.v1.NetworkPolicyEgressRule"},"io.k8s.api.networking.v1.NetworkPolicyIngressRule":{"description":"NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.","type":"object","properties":{"from":{"description":"from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer"},"x-kubernetes-list-type":"atomic"},"ports":{"description":"ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.networking.v1.NetworkPolicyIngressRule"},"io.k8s.api.networking.v1.NetworkPolicyList":{"description":"NetworkPolicyList is a list of NetworkPolicy objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of schema objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"NetworkPolicyList","version":"v1"}],"title":"io.k8s.api.networking.v1.NetworkPolicyList"},"io.k8s.api.networking.v1.NetworkPolicyPeer":{"description":"NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed","type":"object","properties":{"ipBlock":{"description":"ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.","$ref":"#/definitions/io.k8s.api.networking.v1.IPBlock"},"namespaceSelector":{"description":"namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"podSelector":{"description":"podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"}},"title":"io.k8s.api.networking.v1.NetworkPolicyPeer"},"io.k8s.api.networking.v1.NetworkPolicyPort":{"description":"NetworkPolicyPort describes a port to allow traffic on","type":"object","properties":{"endPort":{"description":"endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.","type":"integer","format":"int32"},"port":{"description":"port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"protocol":{"description":"protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n\nPossible enum values:\n - `\"SCTP\"` is the SCTP protocol.\n - `\"TCP\"` is the TCP protocol.\n - `\"UDP\"` is the UDP protocol.","type":"string","enum":["SCTP","TCP","UDP"]}},"title":"io.k8s.api.networking.v1.NetworkPolicyPort"},"io.k8s.api.networking.v1.NetworkPolicySpec":{"description":"NetworkPolicySpec provides the specification of a NetworkPolicy","type":"object","properties":{"egress":{"description":"egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule"},"x-kubernetes-list-type":"atomic"},"ingress":{"description":"ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule"},"x-kubernetes-list-type":"atomic"},"podSelector":{"description":"podSelector selects the pods to which this NetworkPolicy object applies. The array of rules is applied to any pods selected by this field. An empty selector matches all pods in the policy's namespace. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is optional. If it is not specified, it defaults to an empty selector.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"policyTypes":{"description":"policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are [\"Ingress\"], [\"Egress\"], or [\"Ingress\", \"Egress\"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8","type":"array","items":{"type":"string","enum":["Egress","Ingress"]},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.networking.v1.NetworkPolicySpec"},"io.k8s.api.networking.v1.ParentReference":{"description":"ParentReference describes a reference to a parent object.","type":"object","required":["resource","name"],"properties":{"group":{"description":"Group is the group of the object being referenced.","type":"string"},"name":{"description":"Name is the name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace is the namespace of the object being referenced.","type":"string"},"resource":{"description":"Resource is the resource of the object being referenced.","type":"string"}},"title":"io.k8s.api.networking.v1.ParentReference"},"io.k8s.api.networking.v1.ServiceBackendPort":{"description":"ServiceBackendPort is the service port being referenced.","type":"object","properties":{"name":{"description":"name is the name of the port on the Service. This is a mutually exclusive setting with \"Number\".","type":"string"},"number":{"description":"number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with \"Name\".","type":"integer","format":"int32"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.networking.v1.ServiceBackendPort"},"io.k8s.api.networking.v1.ServiceCIDR":{"description":"ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64). This range is used to allocate ClusterIPs to Service objects.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec is the desired state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.networking.v1.ServiceCIDRSpec"},"status":{"description":"status represents the current state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.networking.v1.ServiceCIDRStatus"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"ServiceCIDR","version":"v1"}],"title":"io.k8s.api.networking.v1.ServiceCIDR"},"io.k8s.api.networking.v1.ServiceCIDRList":{"description":"ServiceCIDRList contains a list of ServiceCIDR objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of ServiceCIDRs.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.ServiceCIDR"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"ServiceCIDRList","version":"v1"}],"title":"io.k8s.api.networking.v1.ServiceCIDRList"},"io.k8s.api.networking.v1.ServiceCIDRSpec":{"description":"ServiceCIDRSpec define the CIDRs the user wants to use for allocating ClusterIPs for Services.","type":"object","properties":{"cidrs":{"description":"CIDRs defines the IP blocks in CIDR notation (e.g. \"192.168.0.0/24\" or \"2001:db8::/64\") from which to assign service cluster IPs. Max of two CIDRs is allowed, one of each IP family. This field is immutable.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.networking.v1.ServiceCIDRSpec"},"io.k8s.api.networking.v1.ServiceCIDRStatus":{"description":"ServiceCIDRStatus describes the current state of the ServiceCIDR.","type":"object","properties":{"conditions":{"description":"conditions holds an array of metav1.Condition that describe the state of the ServiceCIDR. Current service state","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"}},"title":"io.k8s.api.networking.v1.ServiceCIDRStatus"},"io.k8s.api.node.v1.Overhead":{"description":"Overhead structure represents the resource overhead associated with running a pod.","type":"object","properties":{"podFixed":{"description":"podFixed represents the fixed resource overhead associated with running a pod.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}},"title":"io.k8s.api.node.v1.Overhead"},"io.k8s.api.node.v1.RuntimeClass":{"description":"RuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod.  For more details, see https://kubernetes.io/docs/concepts/containers/runtime-class/","type":"object","required":["handler"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"handler":{"description":"handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration.  It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called \"runc\" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"overhead":{"description":"overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see\n https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/","$ref":"#/definitions/io.k8s.api.node.v1.Overhead"},"scheduling":{"description":"scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes.","$ref":"#/definitions/io.k8s.api.node.v1.Scheduling"}},"x-kubernetes-group-version-kind":[{"group":"node.k8s.io","kind":"RuntimeClass","version":"v1"}],"title":"io.k8s.api.node.v1.RuntimeClass"},"io.k8s.api.node.v1.RuntimeClassList":{"description":"RuntimeClassList is a list of RuntimeClass objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of schema objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.node.v1.RuntimeClass"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"node.k8s.io","kind":"RuntimeClassList","version":"v1"}],"title":"io.k8s.api.node.v1.RuntimeClassList"},"io.k8s.api.node.v1.Scheduling":{"description":"Scheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.","type":"object","properties":{"nodeSelector":{"description":"nodeSelector lists labels that must be present on nodes that support this RuntimeClass. Pods using this RuntimeClass can only be scheduled to a node matched by this selector. The RuntimeClass nodeSelector is merged with a pod's existing nodeSelector. Any conflicts will cause the pod to be rejected in admission.","type":"object","additionalProperties":{"type":"string"},"x-kubernetes-map-type":"atomic"},"tolerations":{"description":"tolerations are appended (excluding duplicates) to pods running with this RuntimeClass during admission, effectively unioning the set of nodes tolerated by the pod and the RuntimeClass.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Toleration"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.node.v1.Scheduling"},"io.k8s.api.policy.v1.Eviction":{"description":"Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod.  A request to cause such an eviction is created by POSTing to .../pods/<pod name>/evictions.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"deleteOptions":{"description":"DeleteOptions may be provided","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"ObjectMeta describes the pod that is being evicted.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"}},"x-kubernetes-group-version-kind":[{"group":"policy","kind":"Eviction","version":"v1"}],"title":"io.k8s.api.policy.v1.Eviction"},"io.k8s.api.policy.v1.PodDisruptionBudget":{"description":"PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the PodDisruptionBudget.","$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec"},"status":{"description":"Most recently observed status of the PodDisruptionBudget.","$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetStatus"}},"x-kubernetes-group-version-kind":[{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}],"title":"io.k8s.api.policy.v1.PodDisruptionBudget"},"io.k8s.api.policy.v1.PodDisruptionBudgetList":{"description":"PodDisruptionBudgetList is a collection of PodDisruptionBudgets.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of PodDisruptionBudgets","type":"array","items":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policy","kind":"PodDisruptionBudgetList","version":"v1"}],"title":"io.k8s.api.policy.v1.PodDisruptionBudgetList"},"io.k8s.api.policy.v1.PodDisruptionBudgetSpec":{"description":"PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.","type":"object","properties":{"maxUnavailable":{"description":"An eviction is allowed if at most \"maxUnavailable\" pods selected by \"selector\" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with \"minAvailable\".","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"minAvailable":{"description":"An eviction is allowed if at least \"minAvailable\" pods selected by \"selector\" will still be available after the eviction, i.e. even in the absence of the evicted pod.  So for example you can prevent all voluntary evictions by specifying \"100%\".","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"selector":{"description":"Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","x-kubernetes-patch-strategy":"replace"},"unhealthyPodEvictionPolicy":{"description":"UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type=\"Ready\",status=\"True\".\n\nValid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.\n\nIfHealthyBudget policy means that running pods (status.phase=\"Running\"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.\n\nAlwaysAllow policy means that all running pods (status.phase=\"Running\"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.\n\nAdditional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.\n\nPossible enum values:\n - `\"AlwaysAllow\"` policy means that all running pods (status.phase=\"Running\"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.\n - `\"IfHealthyBudget\"` policy means that running pods (status.phase=\"Running\"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.","type":"string","enum":["AlwaysAllow","IfHealthyBudget"]}},"title":"io.k8s.api.policy.v1.PodDisruptionBudgetSpec"},"io.k8s.api.policy.v1.PodDisruptionBudgetStatus":{"description":"PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.","type":"object","required":["disruptionsAllowed","currentHealthy","desiredHealthy","expectedPods"],"properties":{"conditions":{"description":"Conditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute\n              the number of allowed disruptions. Therefore no disruptions are\n              allowed and the status of the condition will be False.\n- InsufficientPods: The number of pods are either at or below the number\n                    required by the PodDisruptionBudget. No disruptions are\n                    allowed and the status of the condition will be False.\n- SufficientPods: There are more pods than required by the PodDisruptionBudget.\n                  The condition will be True, and the number of allowed\n                  disruptions are provided by the disruptionsAllowed property.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"currentHealthy":{"description":"current number of healthy pods","type":"integer","format":"int32"},"desiredHealthy":{"description":"minimum desired number of healthy pods","type":"integer","format":"int32"},"disruptedPods":{"description":"DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"}},"disruptionsAllowed":{"description":"Number of pod disruptions that are currently allowed.","type":"integer","format":"int32"},"expectedPods":{"description":"total number of pods counted by this disruption budget","type":"integer","format":"int32"},"observedGeneration":{"description":"Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.","type":"integer","format":"int64"}},"title":"io.k8s.api.policy.v1.PodDisruptionBudgetStatus"},"io.k8s.api.rbac.v1.AggregationRule":{"description":"AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole","type":"object","properties":{"clusterRoleSelectors":{"description":"ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.rbac.v1.AggregationRule"},"io.k8s.api.rbac.v1.ClusterRole":{"description":"ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.","type":"object","properties":{"aggregationRule":{"description":"AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller.","$ref":"#/definitions/io.k8s.api.rbac.v1.AggregationRule"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"rules":{"description":"Rules holds all the PolicyRules for this ClusterRole","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.PolicyRule"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"ClusterRole","version":"v1"}],"title":"io.k8s.api.rbac.v1.ClusterRole"},"io.k8s.api.rbac.v1.ClusterRoleBinding":{"description":"ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace, and adds who information via Subject.","type":"object","required":["roleRef"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"roleRef":{"description":"RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable.","$ref":"#/definitions/io.k8s.api.rbac.v1.RoleRef"},"subjects":{"description":"Subjects holds references to the objects the role applies to.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Subject"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleBinding","version":"v1"}],"title":"io.k8s.api.rbac.v1.ClusterRoleBinding"},"io.k8s.api.rbac.v1.ClusterRoleBindingList":{"description":"ClusterRoleBindingList is a collection of ClusterRoleBindings","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of ClusterRoleBindings","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleBindingList","version":"v1"}],"title":"io.k8s.api.rbac.v1.ClusterRoleBindingList"},"io.k8s.api.rbac.v1.ClusterRoleList":{"description":"ClusterRoleList is a collection of ClusterRoles","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of ClusterRoles","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRole"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleList","version":"v1"}],"title":"io.k8s.api.rbac.v1.ClusterRoleList"},"io.k8s.api.rbac.v1.PolicyRule":{"description":"PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.","type":"object","required":["verbs"],"properties":{"apiGroups":{"description":"APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"nonResourceURLs":{"description":"NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"),  but not both.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to. '*' represents all resources.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"verbs":{"description":"Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.rbac.v1.PolicyRule"},"io.k8s.api.rbac.v1.Role":{"description":"Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"rules":{"description":"Rules holds all the PolicyRules for this Role","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.PolicyRule"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"}],"title":"io.k8s.api.rbac.v1.Role"},"io.k8s.api.rbac.v1.RoleBinding":{"description":"RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given namespace only have effect in that namespace.","type":"object","required":["roleRef"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"roleRef":{"description":"RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable.","$ref":"#/definitions/io.k8s.api.rbac.v1.RoleRef"},"subjects":{"description":"Subjects holds references to the objects the role applies to.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Subject"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"}],"title":"io.k8s.api.rbac.v1.RoleBinding"},"io.k8s.api.rbac.v1.RoleBindingList":{"description":"RoleBindingList is a collection of RoleBindings","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of RoleBindings","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleBinding"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"RoleBindingList","version":"v1"}],"title":"io.k8s.api.rbac.v1.RoleBindingList"},"io.k8s.api.rbac.v1.RoleList":{"description":"RoleList is a collection of Roles","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of Roles","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Role"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"RoleList","version":"v1"}],"title":"io.k8s.api.rbac.v1.RoleList"},"io.k8s.api.rbac.v1.RoleRef":{"description":"RoleRef contains information that points to the role being used","type":"object","required":["apiGroup","kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.rbac.v1.RoleRef"},"io.k8s.api.rbac.v1.Subject":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference, or a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.api.rbac.v1.Subject"},"io.k8s.api.resource.v1.AllocatedDeviceStatus":{"description":"AllocatedDeviceStatus contains the status of an allocated device, if the driver chooses to report it. This may include driver-specific information.\n\nThe combination of Driver, Pool, Device, and ShareID must match the corresponding key in Status.Allocation.Devices.","type":"object","required":["driver","pool","device"],"properties":{"conditions":{"description":"Conditions contains the latest observation of the device's state. If the device has been configured according to the class and claim config references, the `Ready` condition should be True.\n\nMust not contain more than 8 entries.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"data":{"description":"Data contains arbitrary driver-specific data.\n\nThe length of the raw data must be smaller or equal to 10 Ki.","$ref":"#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension"},"device":{"description":"Device references one device instance via its name in the driver's resource pool. It must be a DNS label.","type":"string"},"driver":{"description":"Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.","type":"string"},"networkData":{"description":"NetworkData contains network-related information specific to the device.","$ref":"#/definitions/io.k8s.api.resource.v1.NetworkDeviceData"},"pool":{"description":"This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.","type":"string"},"shareID":{"description":"ShareID uniquely identifies an individual allocation share of the device.","type":"string"}},"title":"io.k8s.api.resource.v1.AllocatedDeviceStatus"},"io.k8s.api.resource.v1.AllocationResult":{"description":"AllocationResult contains attributes of an allocated resource.","type":"object","properties":{"allocationTimestamp":{"description":"AllocationTimestamp stores the time when the resources were allocated. This field is not guaranteed to be set, in which case that time is unknown.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gate.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"devices":{"description":"Devices is the result of allocating devices.","$ref":"#/definitions/io.k8s.api.resource.v1.DeviceAllocationResult"},"nodeSelector":{"description":"NodeSelector defines where the allocated resources are available. If unset, they are available everywhere.","$ref":"#/definitions/io.k8s.api.core.v1.NodeSelector"}},"title":"io.k8s.api.resource.v1.AllocationResult"},"io.k8s.api.resource.v1.CELDeviceSelector":{"description":"CELDeviceSelector contains a CEL expression for selecting a device.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n   (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n   of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n - allowMultipleAllocations (bool): the allowMultipleAllocations property of the device\n   (v1.34+ with the DRAConsumableCapacity feature enabled).\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n    device.driver\n    device.attributes[\"dra.example.com\"].model\n    device.attributes[\"ext.example.com\"].family\n    device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n    cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.","type":"string"}},"title":"io.k8s.api.resource.v1.CELDeviceSelector"},"io.k8s.api.resource.v1.CapacityRequestPolicy":{"description":"CapacityRequestPolicy defines how requests consume device capacity.\n\nMust not set more than one ValidRequestValues.","type":"object","properties":{"default":{"description":"Default specifies how much of this capacity is consumed by a request that does not contain an entry for it in DeviceRequest's Capacity.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"validRange":{"description":"ValidRange defines an acceptable quantity value range in consuming requests.\n\nIf this field is set, Default must be defined and it must fall within the defined ValidRange.\n\nIf the requested amount does not fall within the defined range, the request violates the policy, and this device cannot be allocated.\n\nIf the request doesn't contain this capacity entry, Default value is used.","$ref":"#/definitions/io.k8s.api.resource.v1.CapacityRequestPolicyRange"},"validValues":{"description":"ValidValues defines a set of acceptable quantity values in consuming requests.\n\nMust not contain more than 10 entries. Must be sorted in ascending order.\n\nIf this field is set, Default must be defined and it must be included in ValidValues list.\n\nIf the requested amount does not match any valid value but smaller than some valid values, the scheduler calculates the smallest valid value that is greater than or equal to the request. That is: min(ceil(requestedValue) ∈ validValues), where requestedValue ≤ max(validValues).\n\nIf the requested amount exceeds all valid values, the request violates the policy, and this device cannot be allocated.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1.CapacityRequestPolicy"},"io.k8s.api.resource.v1.CapacityRequestPolicyRange":{"description":"CapacityRequestPolicyRange defines a valid range for consumable capacity values.\n\n  - If the requested amount is less than Min, it is rounded up to the Min value.\n  - If Step is set and the requested amount is between Min and Max but not aligned with Step,\n    it will be rounded up to the next value equal to Min + (n * Step).\n  - If Step is not set, the requested amount is used as-is if it falls within the range Min to Max (if set).\n  - If the requested or rounded amount exceeds Max (if set), the request does not satisfy the policy,\n    and the device cannot be allocated.","type":"object","required":["min"],"properties":{"max":{"description":"Max defines the upper limit for capacity that can be requested.\n\nMax must be less than or equal to the capacity value. Min and requestPolicy.default must be less than or equal to the maximum.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"min":{"description":"Min specifies the minimum capacity allowed for a consumption request.\n\nMin must be greater than or equal to zero, and less than or equal to the capacity value. requestPolicy.default must be more than or equal to the minimum.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"step":{"description":"Step defines the step size between valid capacity amounts within the range.\n\nMax (if set) and requestPolicy.default must be a multiple of Step. Min + Step must be less than or equal to the capacity value.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"title":"io.k8s.api.resource.v1.CapacityRequestPolicyRange"},"io.k8s.api.resource.v1.CapacityRequirements":{"description":"CapacityRequirements defines the capacity requirements for a specific device request.","type":"object","properties":{"requests":{"description":"Requests represent individual device resource requests for distinct resources, all of which must be provided by the device.\n\nThis value is used as an additional filtering condition against the available capacity on the device. This is semantically equivalent to a CEL selector with `device.capacity[<domain>].<name>.compareTo(quantity(<request quantity>)) >= 0`. For example, device.capacity['test-driver.cdi.k8s.io'].counters.compareTo(quantity('2')) >= 0.\n\nWhen a requestPolicy is defined, the requested amount is adjusted upward to the nearest valid value based on the policy. If the requested amount cannot be adjusted to a valid value—because it exceeds what the requestPolicy allows— the device is considered ineligible for allocation.\n\nFor any capacity that is not explicitly requested: - If no requestPolicy is set, the default consumed capacity is equal to the full device capacity\n  (i.e., the whole device is claimed).\n- If a requestPolicy is set, the default consumed capacity is determined according to that policy.\n\nIf the device allows multiple allocation, the aggregated amount across all requests must not exceed the capacity value. The consumed capacity, which may be adjusted based on the requestPolicy if defined, is recorded in the resource claim’s status.devices[*].consumedCapacity field.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}},"title":"io.k8s.api.resource.v1.CapacityRequirements"},"io.k8s.api.resource.v1.Counter":{"description":"Counter describes a quantity associated with a device.","type":"object","required":["value"],"properties":{"value":{"description":"Value defines how much of a certain device counter is available.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"title":"io.k8s.api.resource.v1.Counter"},"io.k8s.api.resource.v1.CounterSet":{"description":"CounterSet defines a named set of counters that are available to be used by devices defined in the ResourcePool.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.","type":"object","required":["name","counters"],"properties":{"counters":{"description":"Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters is 32.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.api.resource.v1.Counter"}},"name":{"description":"Name defines the name of the counter set. It must be a DNS label.","type":"string"}},"title":"io.k8s.api.resource.v1.CounterSet"},"io.k8s.api.resource.v1.Device":{"description":"Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.","type":"object","required":["name"],"properties":{"allNodes":{"description":"AllNodes indicates that all nodes have access to the device.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.","type":"boolean"},"allowMultipleAllocations":{"description":"AllowMultipleAllocations marks whether the device is allowed to be allocated to multiple DeviceRequests.\n\nIf AllowMultipleAllocations is set to true, the device can be allocated more than once, and all of its capacity is consumable, regardless of whether the requestPolicy is defined or not.","type":"boolean"},"attributes":{"description":"Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceAttribute"}},"bindingConditions":{"description":"BindingConditions defines the conditions for proceeding with binding. All of these conditions must be set in the per-device status conditions with a value of True to proceed with binding the pod to the node while scheduling the pod.\n\nThe maximum number of binding conditions is 4.\n\nThe conditions must be a valid condition type string.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"bindingFailureConditions":{"description":"BindingFailureConditions defines the conditions for binding failure. They may be set in the per-device status conditions. If any is set to \"True\", a binding failure occurred.\n\nThe maximum number of binding failure conditions is 4.\n\nThe conditions must be a valid condition type string.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"bindsToNode":{"description":"BindsToNode indicates if the usage of an allocation involving this device has to be limited to exactly the node that was chosen when allocating the claim. If set to true, the scheduler will set the ResourceClaim.Status.Allocation.NodeSelector to match the node where the allocation was made.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.","type":"boolean"},"capacity":{"description":"Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceCapacity"}},"consumesCounters":{"description":"ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe maximum number of device counter consumptions per device is 2.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceCounterConsumption"},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.","type":"string"},"nodeName":{"description":"NodeName identifies the node where the device is available.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.","type":"string"},"nodeSelector":{"description":"NodeSelector defines the nodes where the device is available.\n\nMust use exactly one term.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.","$ref":"#/definitions/io.k8s.api.core.v1.NodeSelector"},"taints":{"description":"If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 16. If taints are set for any device in a ResourceSlice, then the maximum number of allowed devices per ResourceSlice is 64 instead of 128.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceTaint"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1.Device"},"io.k8s.api.resource.v1.DeviceAllocationConfiguration":{"description":"DeviceAllocationConfiguration gets embedded in an AllocationResult.","type":"object","required":["source"],"properties":{"opaque":{"description":"Opaque provides driver-specific configuration parameters.","$ref":"#/definitions/io.k8s.api.resource.v1.OpaqueDeviceConfiguration"},"requests":{"description":"Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.\n\nReferences to subrequests must include the name of the main request and may include the subrequest using the format <main request>[/<subrequest>]. If just the main request is given, the configuration applies to all subrequests.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"source":{"description":"Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.\n\n\nPossible enum values:\n - `\"FromClaim\"`\n - `\"FromClass\"`","type":"string","enum":["FromClaim","FromClass"]}},"title":"io.k8s.api.resource.v1.DeviceAllocationConfiguration"},"io.k8s.api.resource.v1.DeviceAllocationResult":{"description":"DeviceAllocationResult is the result of allocating devices.","type":"object","properties":{"config":{"description":"This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceAllocationConfiguration"},"x-kubernetes-list-type":"atomic"},"results":{"description":"Results lists all allocated devices.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceRequestAllocationResult"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1.DeviceAllocationResult"},"io.k8s.api.resource.v1.DeviceAttribute":{"description":"DeviceAttribute must have exactly one field set.","type":"object","properties":{"bool":{"description":"BoolValue is a true/false value.","type":"boolean"},"int":{"description":"IntValue is a number.","type":"integer","format":"int64"},"string":{"description":"StringValue is a string. Must not be longer than 64 characters.","type":"string"},"version":{"description":"VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.","type":"string"}},"title":"io.k8s.api.resource.v1.DeviceAttribute"},"io.k8s.api.resource.v1.DeviceCapacity":{"description":"DeviceCapacity describes a quantity associated with a device.","type":"object","required":["value"],"properties":{"requestPolicy":{"description":"RequestPolicy defines how this DeviceCapacity must be consumed when the device is allowed to be shared by multiple allocations.\n\nThe Device must have allowMultipleAllocations set to true in order to set a requestPolicy.\n\nIf unset, capacity requests are unconstrained: requests can consume any amount of capacity, as long as the total consumed across all allocations does not exceed the device's defined capacity. If request is also unset, default is the full capacity value.","$ref":"#/definitions/io.k8s.api.resource.v1.CapacityRequestPolicy"},"value":{"description":"Value defines how much of a certain capacity that device has.\n\nThis field reflects the fixed total capacity and does not change. The consumed amount is tracked separately by scheduler and does not affect this value.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"title":"io.k8s.api.resource.v1.DeviceCapacity"},"io.k8s.api.resource.v1.DeviceClaim":{"description":"DeviceClaim defines how to request devices with a ResourceClaim.","type":"object","properties":{"config":{"description":"This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceClaimConfiguration"},"x-kubernetes-list-type":"atomic"},"constraints":{"description":"These constraints must be satisfied by the set of devices that get allocated for the claim.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceConstraint"},"x-kubernetes-list-type":"atomic"},"requests":{"description":"Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceRequest"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1.DeviceClaim"},"io.k8s.api.resource.v1.DeviceClaimConfiguration":{"description":"DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.","type":"object","properties":{"opaque":{"description":"Opaque provides driver-specific configuration parameters.","$ref":"#/definitions/io.k8s.api.resource.v1.OpaqueDeviceConfiguration"},"requests":{"description":"Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.\n\nReferences to subrequests must include the name of the main request and may include the subrequest using the format <main request>[/<subrequest>]. If just the main request is given, the configuration applies to all subrequests.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1.DeviceClaimConfiguration"},"io.k8s.api.resource.v1.DeviceClass":{"description":"DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number.","$ref":"#/definitions/io.k8s.api.resource.v1.DeviceClassSpec"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"DeviceClass","version":"v1"}],"title":"io.k8s.api.resource.v1.DeviceClass"},"io.k8s.api.resource.v1.DeviceClassConfiguration":{"description":"DeviceClassConfiguration is used in DeviceClass.","type":"object","properties":{"opaque":{"description":"Opaque provides driver-specific configuration parameters.","$ref":"#/definitions/io.k8s.api.resource.v1.OpaqueDeviceConfiguration"}},"title":"io.k8s.api.resource.v1.DeviceClassConfiguration"},"io.k8s.api.resource.v1.DeviceClassList":{"description":"DeviceClassList is a collection of classes.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of resource classes.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceClass"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"DeviceClassList","version":"v1"}],"title":"io.k8s.api.resource.v1.DeviceClassList"},"io.k8s.api.resource.v1.DeviceClassSpec":{"description":"DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.","type":"object","properties":{"config":{"description":"Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceClassConfiguration"},"x-kubernetes-list-type":"atomic"},"extendedResourceName":{"description":"ExtendedResourceName is the extended resource name for the devices of this class. The devices of this class can be used to satisfy a pod's extended resource requests. It has the same format as the name of a pod's extended resource. It should be unique among all the device classes in a cluster. If two device classes have the same name, then the class created later is picked to satisfy a pod's extended resource requests. If two classes are created at the same time, then the name of the class lexicographically sorted first is picked.\n\nThis is an alpha field.","type":"string"},"selectors":{"description":"Each selector must be satisfied by a device which is claimed via this class.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceSelector"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1.DeviceClassSpec"},"io.k8s.api.resource.v1.DeviceConstraint":{"description":"DeviceConstraint must have exactly one field set besides Requests.","type":"object","properties":{"distinctAttribute":{"description":"DistinctAttribute requires that all devices in question have this attribute and that its type and value are unique across those devices.\n\nThis acts as the inverse of MatchAttribute.\n\nThis constraint is used to avoid allocating multiple requests to the same device by ensuring attribute-level differentiation.\n\nThis is useful for scenarios where resource requests must be fulfilled by separate physical devices. For example, a container requests two network interfaces that must be allocated from two different physical NICs.","type":"string"},"matchAttribute":{"description":"MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.","type":"string"},"requests":{"description":"Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.\n\nReferences to subrequests must include the name of the main request and may include the subrequest using the format <main request>[/<subrequest>]. If just the main request is given, the constraint applies to all subrequests.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1.DeviceConstraint"},"io.k8s.api.resource.v1.DeviceCounterConsumption":{"description":"DeviceCounterConsumption defines a set of counters that a device will consume from a CounterSet.","type":"object","required":["counterSet","counters"],"properties":{"counterSet":{"description":"CounterSet is the name of the set from which the counters defined will be consumed.","type":"string"},"counters":{"description":"Counters defines the counters that will be consumed by the device.\n\nThe maximum number of counters is 32.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.api.resource.v1.Counter"}}},"title":"io.k8s.api.resource.v1.DeviceCounterConsumption"},"io.k8s.api.resource.v1.DeviceRequest":{"description":"DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices. With FirstAvailable it is also possible to provide a prioritized list of requests.","type":"object","required":["name"],"properties":{"exactly":{"description":"Exactly specifies the details for a single request that must be met exactly for the request to be satisfied.\n\nOne of Exactly or FirstAvailable must be set.","$ref":"#/definitions/io.k8s.api.resource.v1.ExactDeviceRequest"},"firstAvailable":{"description":"FirstAvailable contains subrequests, of which exactly one will be selected by the scheduler. It tries to satisfy them in the order in which they are listed here. So if there are two entries in the list, the scheduler will only check the second one if it determines that the first one can not be used.\n\nDRA does not yet implement scoring, so the scheduler will select the first set of devices that satisfies all the requests in the claim. And if the requirements can be satisfied on more than one node, other scheduling features will determine which node is chosen. This means that the set of devices allocated to a claim might not be the optimal set available to the cluster. Scoring will be implemented later.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceSubRequest"},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nReferences using the name in the DeviceRequest will uniquely identify a request when the Exactly field is set. When the FirstAvailable field is set, a reference to the name of the DeviceRequest will match whatever subrequest is chosen by the scheduler.\n\nMust be a DNS label.","type":"string"}},"title":"io.k8s.api.resource.v1.DeviceRequest"},"io.k8s.api.resource.v1.DeviceRequestAllocationResult":{"description":"DeviceRequestAllocationResult contains the allocation result for one request.","type":"object","required":["request","driver","pool","device"],"properties":{"adminAccess":{"description":"AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.","type":"boolean"},"bindingConditions":{"description":"BindingConditions contains a copy of the BindingConditions from the corresponding ResourceSlice at the time of allocation.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"bindingFailureConditions":{"description":"BindingFailureConditions contains a copy of the BindingFailureConditions from the corresponding ResourceSlice at the time of allocation.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"consumedCapacity":{"description":"ConsumedCapacity tracks the amount of capacity consumed per device as part of the claim request. The consumed amount may differ from the requested amount: it is rounded up to the nearest valid value based on the device’s requestPolicy if applicable (i.e., may not be less than the requested amount).\n\nThe total consumed capacity for each device must not exceed the DeviceCapacity's Value.\n\nThis field is populated only for devices that allow multiple allocations. All capacity entries are included, even if the consumed amount is zero.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"device":{"description":"Device references one device instance via its name in the driver's resource pool. It must be a DNS label.","type":"string"},"driver":{"description":"Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.","type":"string"},"pool":{"description":"This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.","type":"string"},"request":{"description":"Request is the name of the request in the claim which caused this device to be allocated. If it references a subrequest in the firstAvailable list on a DeviceRequest, this field must include both the name of the main request and the subrequest using the format <main request>/<subrequest>.\n\nMultiple devices may have been allocated per request.","type":"string"},"shareID":{"description":"ShareID uniquely identifies an individual allocation share of the device, used when the device supports multiple simultaneous allocations. It serves as an additional map key to differentiate concurrent shares of the same device.","type":"string"},"tolerations":{"description":"A copy of all tolerations specified in the request at the time when the device got allocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceToleration"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1.DeviceRequestAllocationResult"},"io.k8s.api.resource.v1.DeviceSelector":{"description":"DeviceSelector must have exactly one field set.","type":"object","properties":{"cel":{"description":"CEL contains a CEL expression for selecting a device.","$ref":"#/definitions/io.k8s.api.resource.v1.CELDeviceSelector"}},"title":"io.k8s.api.resource.v1.DeviceSelector"},"io.k8s.api.resource.v1.DeviceSubRequest":{"description":"DeviceSubRequest describes a request for device provided in the claim.spec.devices.requests[].firstAvailable array. Each is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nDeviceSubRequest is similar to ExactDeviceRequest, but doesn't expose the AdminAccess field as that one is only supported when requesting a specific device.","type":"object","required":["name","deviceClassName"],"properties":{"allocationMode":{"description":"AllocationMode and its related fields define how devices are allocated to satisfy this subrequest. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This subrequest is for all of the matching devices in a pool.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other subrequests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.\n\n\nPossible enum values:\n - `\"All\"`\n - `\"ExactCount\"`","type":"string","enum":["All","ExactCount"]},"capacity":{"description":"Capacity define resource requirements against each capacity.\n\nIf this field is unset and the device supports multiple allocations, the default value will be applied to each capacity according to requestPolicy. For the capacity that has no requestPolicy, default is the full capacity value.\n\nApplies to each device allocation. If Count > 1, the request fails if there aren't enough devices that meet the requirements. If AllocationMode is set to All, the request fails if there are devices that otherwise match the request, and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.","$ref":"#/definitions/io.k8s.api.resource.v1.CapacityRequirements"},"count":{"description":"Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.","type":"integer","format":"int64"},"deviceClassName":{"description":"DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this subrequest.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.","type":"string"},"name":{"description":"Name can be used to reference this subrequest in the list of constraints or the list of configurations for the claim. References must use the format <main request>/<subrequest>.\n\nMust be a DNS label.","type":"string"},"selectors":{"description":"Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this subrequest. All selectors must be satisfied for a device to be considered.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceSelector"},"x-kubernetes-list-type":"atomic"},"tolerations":{"description":"If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceToleration"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1.DeviceSubRequest"},"io.k8s.api.resource.v1.DeviceTaint":{"description":"The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.","type":"object","required":["key","effect"],"properties":{"effect":{"description":"The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.\n - `\"None\"` No effect, the taint is purely informational.","type":"string","enum":["NoExecute","NoSchedule","None"]},"key":{"description":"The taint key to be applied to a device. Must be a label name.","type":"string"},"timeAdded":{"description":"TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"value":{"description":"The taint value corresponding to the taint key. Must be a label value.","type":"string"}},"title":"io.k8s.api.resource.v1.DeviceTaint"},"io.k8s.api.resource.v1.DeviceToleration":{"description":"The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.","type":"object","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.\n - `\"None\"` No effect, the taint is purely informational.","type":"string","enum":["NoExecute","NoSchedule","None"]},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. Must be a label name.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a ResourceClaim can tolerate all taints of a particular category.\n\n\nPossible enum values:\n - `\"Equal\"`\n - `\"Exists\"`","type":"string","enum":["Equal","Exists"]},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. If larger than zero, the time when the pod needs to be evicted is calculated as <time when taint was adedd> + <toleration seconds>.","type":"integer","format":"int64"},"value":{"description":"Value is the taint value the toleration matches to. If the operator is Exists, the value must be empty, otherwise just a regular string. Must be a label value.","type":"string"}},"title":"io.k8s.api.resource.v1.DeviceToleration"},"io.k8s.api.resource.v1.ExactDeviceRequest":{"description":"ExactDeviceRequest is a request for one or more identical devices.","type":"object","required":["deviceClassName"],"properties":{"adminAccess":{"description":"AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device.  They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.","type":"boolean"},"allocationMode":{"description":"AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This request is for all of the matching devices in a pool.\n  At least one device must exist on the node for the allocation to succeed.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.\n\n\nPossible enum values:\n - `\"All\"`\n - `\"ExactCount\"`","type":"string","enum":["All","ExactCount"]},"capacity":{"description":"Capacity define resource requirements against each capacity.\n\nIf this field is unset and the device supports multiple allocations, the default value will be applied to each capacity according to requestPolicy. For the capacity that has no requestPolicy, default is the full capacity value.\n\nApplies to each device allocation. If Count > 1, the request fails if there aren't enough devices that meet the requirements. If AllocationMode is set to All, the request fails if there are devices that otherwise match the request, and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.","$ref":"#/definitions/io.k8s.api.resource.v1.CapacityRequirements"},"count":{"description":"Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.","type":"integer","format":"int64"},"deviceClassName":{"description":"DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA DeviceClassName is required.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.","type":"string"},"selectors":{"description":"Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceSelector"},"x-kubernetes-list-type":"atomic"},"tolerations":{"description":"If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.DeviceToleration"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1.ExactDeviceRequest"},"io.k8s.api.resource.v1.NetworkDeviceData":{"description":"NetworkDeviceData provides network-related details for the allocated device. This information may be filled by drivers or other components to configure or identify the device within a network context.","type":"object","properties":{"hardwareAddress":{"description":"HardwareAddress represents the hardware address (e.g. MAC Address) of the device's network interface.\n\nMust not be longer than 128 characters.","type":"string"},"interfaceName":{"description":"InterfaceName specifies the name of the network interface associated with the allocated device. This might be the name of a physical or virtual network interface being configured in the pod.\n\nMust not be longer than 256 characters.","type":"string"},"ips":{"description":"IPs lists the network addresses assigned to the device's network interface. This can include both IPv4 and IPv6 addresses. The IPs are in the CIDR notation, which includes both the address and the associated subnet mask. e.g.: \"192.0.2.5/24\" for IPv4 and \"2001:db8::5/64\" for IPv6.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1.NetworkDeviceData"},"io.k8s.api.resource.v1.OpaqueDeviceConfiguration":{"description":"OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.","type":"object","required":["driver","parameters"],"properties":{"driver":{"description":"Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.","type":"string"},"parameters":{"description":"Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki.","$ref":"#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension"}},"title":"io.k8s.api.resource.v1.OpaqueDeviceConfiguration"},"io.k8s.api.resource.v1.ResourceClaim":{"description":"ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec describes what is being requested and how to configure it. The spec is immutable.","$ref":"#/definitions/io.k8s.api.resource.v1.ResourceClaimSpec"},"status":{"description":"Status describes whether the claim is ready to use and what has been allocated.","$ref":"#/definitions/io.k8s.api.resource.v1.ResourceClaimStatus"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceClaim","version":"v1"}],"title":"io.k8s.api.resource.v1.ResourceClaim"},"io.k8s.api.resource.v1.ResourceClaimConsumerReference":{"description":"ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.","type":"object","required":["resource","name","uid"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.","type":"string"},"name":{"description":"Name is the name of resource being referenced.","type":"string"},"resource":{"description":"Resource is the type of resource being referenced, for example \"pods\".","type":"string"},"uid":{"description":"UID identifies exactly one incarnation of the resource.","type":"string"}},"title":"io.k8s.api.resource.v1.ResourceClaimConsumerReference"},"io.k8s.api.resource.v1.ResourceClaimList":{"description":"ResourceClaimList is a collection of claims.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of resource claims.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.ResourceClaim"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceClaimList","version":"v1"}],"title":"io.k8s.api.resource.v1.ResourceClaimList"},"io.k8s.api.resource.v1.ResourceClaimSpec":{"description":"ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.","type":"object","properties":{"devices":{"description":"Devices defines how to request devices.","$ref":"#/definitions/io.k8s.api.resource.v1.DeviceClaim"}},"title":"io.k8s.api.resource.v1.ResourceClaimSpec"},"io.k8s.api.resource.v1.ResourceClaimStatus":{"description":"ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.","type":"object","properties":{"allocation":{"description":"Allocation is set once the claim has been allocated successfully.","$ref":"#/definitions/io.k8s.api.resource.v1.AllocationResult"},"devices":{"description":"Devices contains the status of each device allocated for this claim, as reported by the driver. This can include driver-specific information. Entries are owned by their respective drivers.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.AllocatedDeviceStatus"},"x-kubernetes-list-map-keys":["driver","device","pool","shareID"],"x-kubernetes-list-type":"map"},"reservedFor":{"description":"ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 256 such reservations. This may get increased in the future, but not reduced.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.ResourceClaimConsumerReference"},"x-kubernetes-list-map-keys":["uid"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"uid","x-kubernetes-patch-strategy":"merge"}},"title":"io.k8s.api.resource.v1.ResourceClaimStatus"},"io.k8s.api.resource.v1.ResourceClaimTemplate":{"description":"ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore.","$ref":"#/definitions/io.k8s.api.resource.v1.ResourceClaimTemplateSpec"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceClaimTemplate","version":"v1"}],"title":"io.k8s.api.resource.v1.ResourceClaimTemplate"},"io.k8s.api.resource.v1.ResourceClaimTemplateList":{"description":"ResourceClaimTemplateList is a collection of claim templates.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of resource claim templates.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.ResourceClaimTemplate"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceClaimTemplateList","version":"v1"}],"title":"io.k8s.api.resource.v1.ResourceClaimTemplateList"},"io.k8s.api.resource.v1.ResourceClaimTemplateSpec":{"description":"ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.","type":"object","required":["spec"],"properties":{"metadata":{"description":"ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here.","$ref":"#/definitions/io.k8s.api.resource.v1.ResourceClaimSpec"}},"title":"io.k8s.api.resource.v1.ResourceClaimTemplateSpec"},"io.k8s.api.resource.v1.ResourcePool":{"description":"ResourcePool describes the pool that ResourceSlices belong to.","type":"object","required":["name","generation","resourceSliceCount"],"properties":{"generation":{"description":"Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.","type":"integer","format":"int64"},"name":{"description":"Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.","type":"string"},"resourceSliceCount":{"description":"ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.","type":"integer","format":"int64"}},"title":"io.k8s.api.resource.v1.ResourcePool"},"io.k8s.api.resource.v1.ResourceSlice":{"description":"ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number.","$ref":"#/definitions/io.k8s.api.resource.v1.ResourceSliceSpec"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceSlice","version":"v1"}],"title":"io.k8s.api.resource.v1.ResourceSlice"},"io.k8s.api.resource.v1.ResourceSliceList":{"description":"ResourceSliceList is a collection of ResourceSlices.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of resource ResourceSlices.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.ResourceSlice"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceSliceList","version":"v1"}],"title":"io.k8s.api.resource.v1.ResourceSliceList"},"io.k8s.api.resource.v1.ResourceSliceSpec":{"description":"ResourceSliceSpec contains the information published by the driver in one ResourceSlice.","type":"object","required":["driver","pool"],"properties":{"allNodes":{"description":"AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.","type":"boolean"},"devices":{"description":"Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.Device"},"x-kubernetes-list-type":"atomic"},"driver":{"description":"Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters. This field is immutable.","type":"string"},"nodeName":{"description":"NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set. This field is immutable.","type":"string"},"nodeSelector":{"description":"NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.","$ref":"#/definitions/io.k8s.api.core.v1.NodeSelector"},"perDeviceNodeSelection":{"description":"PerDeviceNodeSelection defines whether the access from nodes to resources in the pool is set on the ResourceSlice level or on each device. If it is set to true, every device defined the ResourceSlice must specify this individually.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.","type":"boolean"},"pool":{"description":"Pool describes the pool that this ResourceSlice belongs to.","$ref":"#/definitions/io.k8s.api.resource.v1.ResourcePool"},"sharedCounters":{"description":"SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the counter sets must be unique in the ResourcePool.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.\n\nThe maximum number of counter sets is 8.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1.CounterSet"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1.ResourceSliceSpec"},"io.k8s.api.resource.v1beta1.AllocatedDeviceStatus":{"description":"AllocatedDeviceStatus contains the status of an allocated device, if the driver chooses to report it. This may include driver-specific information.\n\nThe combination of Driver, Pool, Device, and ShareID must match the corresponding key in Status.Allocation.Devices.","type":"object","required":["driver","pool","device"],"properties":{"conditions":{"description":"Conditions contains the latest observation of the device's state. If the device has been configured according to the class and claim config references, the `Ready` condition should be True.\n\nMust not contain more than 8 entries.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"data":{"description":"Data contains arbitrary driver-specific data.\n\nThe length of the raw data must be smaller or equal to 10 Ki.","$ref":"#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension"},"device":{"description":"Device references one device instance via its name in the driver's resource pool. It must be a DNS label.","type":"string"},"driver":{"description":"Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.","type":"string"},"networkData":{"description":"NetworkData contains network-related information specific to the device.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.NetworkDeviceData"},"pool":{"description":"This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.","type":"string"},"shareID":{"description":"ShareID uniquely identifies an individual allocation share of the device.","type":"string"}},"title":"io.k8s.api.resource.v1beta1.AllocatedDeviceStatus"},"io.k8s.api.resource.v1beta1.AllocationResult":{"description":"AllocationResult contains attributes of an allocated resource.","type":"object","properties":{"allocationTimestamp":{"description":"AllocationTimestamp stores the time when the resources were allocated. This field is not guaranteed to be set, in which case that time is unknown.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gate.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"devices":{"description":"Devices is the result of allocating devices.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationResult"},"nodeSelector":{"description":"NodeSelector defines where the allocated resources are available. If unset, they are available everywhere.","$ref":"#/definitions/io.k8s.api.core.v1.NodeSelector"}},"title":"io.k8s.api.resource.v1beta1.AllocationResult"},"io.k8s.api.resource.v1beta1.BasicDevice":{"description":"BasicDevice defines one device instance.","type":"object","properties":{"allNodes":{"description":"AllNodes indicates that all nodes have access to the device.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.","type":"boolean"},"allowMultipleAllocations":{"description":"AllowMultipleAllocations marks whether the device is allowed to be allocated to multiple DeviceRequests.\n\nIf AllowMultipleAllocations is set to true, the device can be allocated more than once, and all of its capacity is consumable, regardless of whether the requestPolicy is defined or not.","type":"boolean"},"attributes":{"description":"Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceAttribute"}},"bindingConditions":{"description":"BindingConditions defines the conditions for proceeding with binding. All of these conditions must be set in the per-device status conditions with a value of True to proceed with binding the pod to the node while scheduling the pod.\n\nThe maximum number of binding conditions is 4.\n\nThe conditions must be a valid condition type string.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"bindingFailureConditions":{"description":"BindingFailureConditions defines the conditions for binding failure. They may be set in the per-device status conditions. If any is true, a binding failure occurred.\n\nThe maximum number of binding failure conditions is 4.\n\nThe conditions must be a valid condition type string.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"bindsToNode":{"description":"BindsToNode indicates if the usage of an allocation involving this device has to be limited to exactly the node that was chosen when allocating the claim. If set to true, the scheduler will set the ResourceClaim.Status.Allocation.NodeSelector to match the node where the allocation was made.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.","type":"boolean"},"capacity":{"description":"Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceCapacity"}},"consumesCounters":{"description":"ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe maximum number of device counter consumptions per device is 2.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceCounterConsumption"},"x-kubernetes-list-type":"atomic"},"nodeName":{"description":"NodeName identifies the node where the device is available.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.","type":"string"},"nodeSelector":{"description":"NodeSelector defines the nodes where the device is available.\n\nMust use exactly one term.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.","$ref":"#/definitions/io.k8s.api.core.v1.NodeSelector"},"taints":{"description":"If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 16. If taints are set for any device in a ResourceSlice, then the maximum number of allowed devices per ResourceSlice is 64 instead of 128.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceTaint"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1beta1.BasicDevice"},"io.k8s.api.resource.v1beta1.CELDeviceSelector":{"description":"CELDeviceSelector contains a CEL expression for selecting a device.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n   (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n   of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n - allowMultipleAllocations (bool): the allowMultipleAllocations property of the device\n   (v1.34+ with the DRAConsumableCapacity feature enabled).\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n    device.driver\n    device.attributes[\"dra.example.com\"].model\n    device.attributes[\"ext.example.com\"].family\n    device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n    cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.","type":"string"}},"title":"io.k8s.api.resource.v1beta1.CELDeviceSelector"},"io.k8s.api.resource.v1beta1.CapacityRequestPolicy":{"description":"CapacityRequestPolicy defines how requests consume device capacity.\n\nMust not set more than one ValidRequestValues.","type":"object","properties":{"default":{"description":"Default specifies how much of this capacity is consumed by a request that does not contain an entry for it in DeviceRequest's Capacity.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"validRange":{"description":"ValidRange defines an acceptable quantity value range in consuming requests.\n\nIf this field is set, Default must be defined and it must fall within the defined ValidRange.\n\nIf the requested amount does not fall within the defined range, the request violates the policy, and this device cannot be allocated.\n\nIf the request doesn't contain this capacity entry, Default value is used.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.CapacityRequestPolicyRange"},"validValues":{"description":"ValidValues defines a set of acceptable quantity values in consuming requests.\n\nMust not contain more than 10 entries. Must be sorted in ascending order.\n\nIf this field is set, Default must be defined and it must be included in ValidValues list.\n\nIf the requested amount does not match any valid value but smaller than some valid values, the scheduler calculates the smallest valid value that is greater than or equal to the request. That is: min(ceil(requestedValue) ∈ validValues), where requestedValue ≤ max(validValues).\n\nIf the requested amount exceeds all valid values, the request violates the policy, and this device cannot be allocated.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1beta1.CapacityRequestPolicy"},"io.k8s.api.resource.v1beta1.CapacityRequestPolicyRange":{"description":"CapacityRequestPolicyRange defines a valid range for consumable capacity values.\n\n  - If the requested amount is less than Min, it is rounded up to the Min value.\n  - If Step is set and the requested amount is between Min and Max but not aligned with Step,\n    it will be rounded up to the next value equal to Min + (n * Step).\n  - If Step is not set, the requested amount is used as-is if it falls within the range Min to Max (if set).\n  - If the requested or rounded amount exceeds Max (if set), the request does not satisfy the policy,\n    and the device cannot be allocated.","type":"object","required":["min"],"properties":{"max":{"description":"Max defines the upper limit for capacity that can be requested.\n\nMax must be less than or equal to the capacity value. Min and requestPolicy.default must be less than or equal to the maximum.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"min":{"description":"Min specifies the minimum capacity allowed for a consumption request.\n\nMin must be greater than or equal to zero, and less than or equal to the capacity value. requestPolicy.default must be more than or equal to the minimum.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"step":{"description":"Step defines the step size between valid capacity amounts within the range.\n\nMax (if set) and requestPolicy.default must be a multiple of Step. Min + Step must be less than or equal to the capacity value.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"title":"io.k8s.api.resource.v1beta1.CapacityRequestPolicyRange"},"io.k8s.api.resource.v1beta1.CapacityRequirements":{"description":"CapacityRequirements defines the capacity requirements for a specific device request.","type":"object","properties":{"requests":{"description":"Requests represent individual device resource requests for distinct resources, all of which must be provided by the device.\n\nThis value is used as an additional filtering condition against the available capacity on the device. This is semantically equivalent to a CEL selector with `device.capacity[<domain>].<name>.compareTo(quantity(<request quantity>)) >= 0`. For example, device.capacity['test-driver.cdi.k8s.io'].counters.compareTo(quantity('2')) >= 0.\n\nWhen a requestPolicy is defined, the requested amount is adjusted upward to the nearest valid value based on the policy. If the requested amount cannot be adjusted to a valid value—because it exceeds what the requestPolicy allows— the device is considered ineligible for allocation.\n\nFor any capacity that is not explicitly requested: - If no requestPolicy is set, the default consumed capacity is equal to the full device capacity\n  (i.e., the whole device is claimed).\n- If a requestPolicy is set, the default consumed capacity is determined according to that policy.\n\nIf the device allows multiple allocation, the aggregated amount across all requests must not exceed the capacity value. The consumed capacity, which may be adjusted based on the requestPolicy if defined, is recorded in the resource claim’s status.devices[*].consumedCapacity field.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}},"title":"io.k8s.api.resource.v1beta1.CapacityRequirements"},"io.k8s.api.resource.v1beta1.Counter":{"description":"Counter describes a quantity associated with a device.","type":"object","required":["value"],"properties":{"value":{"description":"Value defines how much of a certain device counter is available.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"title":"io.k8s.api.resource.v1beta1.Counter"},"io.k8s.api.resource.v1beta1.CounterSet":{"description":"CounterSet defines a named set of counters that are available to be used by devices defined in the ResourcePool.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.","type":"object","required":["name","counters"],"properties":{"counters":{"description":"Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters is 32.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.Counter"}},"name":{"description":"Name defines the name of the counter set. It must be a DNS label.","type":"string"}},"title":"io.k8s.api.resource.v1beta1.CounterSet"},"io.k8s.api.resource.v1beta1.Device":{"description":"Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.","type":"object","required":["name"],"properties":{"basic":{"description":"Basic defines one device instance.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.BasicDevice"},"name":{"description":"Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.","type":"string"}},"title":"io.k8s.api.resource.v1beta1.Device"},"io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration":{"description":"DeviceAllocationConfiguration gets embedded in an AllocationResult.","type":"object","required":["source"],"properties":{"opaque":{"description":"Opaque provides driver-specific configuration parameters.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration"},"requests":{"description":"Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.\n\nReferences to subrequests must include the name of the main request and may include the subrequest using the format <main request>[/<subrequest>]. If just the main request is given, the configuration applies to all subrequests.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"source":{"description":"Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.\n\n\nPossible enum values:\n - `\"FromClaim\"`\n - `\"FromClass\"`","type":"string","enum":["FromClaim","FromClass"]}},"title":"io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration"},"io.k8s.api.resource.v1beta1.DeviceAllocationResult":{"description":"DeviceAllocationResult is the result of allocating devices.","type":"object","properties":{"config":{"description":"This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration"},"x-kubernetes-list-type":"atomic"},"results":{"description":"Results lists all allocated devices.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1beta1.DeviceAllocationResult"},"io.k8s.api.resource.v1beta1.DeviceAttribute":{"description":"DeviceAttribute must have exactly one field set.","type":"object","properties":{"bool":{"description":"BoolValue is a true/false value.","type":"boolean"},"int":{"description":"IntValue is a number.","type":"integer","format":"int64"},"string":{"description":"StringValue is a string. Must not be longer than 64 characters.","type":"string"},"version":{"description":"VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.","type":"string"}},"title":"io.k8s.api.resource.v1beta1.DeviceAttribute"},"io.k8s.api.resource.v1beta1.DeviceCapacity":{"description":"DeviceCapacity describes a quantity associated with a device.","type":"object","required":["value"],"properties":{"requestPolicy":{"description":"RequestPolicy defines how this DeviceCapacity must be consumed when the device is allowed to be shared by multiple allocations.\n\nThe Device must have allowMultipleAllocations set to true in order to set a requestPolicy.\n\nIf unset, capacity requests are unconstrained: requests can consume any amount of capacity, as long as the total consumed across all allocations does not exceed the device's defined capacity. If request is also unset, default is the full capacity value.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.CapacityRequestPolicy"},"value":{"description":"Value defines how much of a certain capacity that device has.\n\nThis field reflects the fixed total capacity and does not change. The consumed amount is tracked separately by scheduler and does not affect this value.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"title":"io.k8s.api.resource.v1beta1.DeviceCapacity"},"io.k8s.api.resource.v1beta1.DeviceClaim":{"description":"DeviceClaim defines how to request devices with a ResourceClaim.","type":"object","properties":{"config":{"description":"This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceClaimConfiguration"},"x-kubernetes-list-type":"atomic"},"constraints":{"description":"These constraints must be satisfied by the set of devices that get allocated for the claim.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceConstraint"},"x-kubernetes-list-type":"atomic"},"requests":{"description":"Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceRequest"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1beta1.DeviceClaim"},"io.k8s.api.resource.v1beta1.DeviceClaimConfiguration":{"description":"DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.","type":"object","properties":{"opaque":{"description":"Opaque provides driver-specific configuration parameters.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration"},"requests":{"description":"Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.\n\nReferences to subrequests must include the name of the main request and may include the subrequest using the format <main request>[/<subrequest>]. If just the main request is given, the configuration applies to all subrequests.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1beta1.DeviceClaimConfiguration"},"io.k8s.api.resource.v1beta1.DeviceClass":{"description":"DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceClassSpec"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"DeviceClass","version":"v1beta1"}],"title":"io.k8s.api.resource.v1beta1.DeviceClass"},"io.k8s.api.resource.v1beta1.DeviceClassConfiguration":{"description":"DeviceClassConfiguration is used in DeviceClass.","type":"object","properties":{"opaque":{"description":"Opaque provides driver-specific configuration parameters.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration"}},"title":"io.k8s.api.resource.v1beta1.DeviceClassConfiguration"},"io.k8s.api.resource.v1beta1.DeviceClassList":{"description":"DeviceClassList is a collection of classes.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of resource classes.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceClass"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"DeviceClassList","version":"v1beta1"}],"title":"io.k8s.api.resource.v1beta1.DeviceClassList"},"io.k8s.api.resource.v1beta1.DeviceClassSpec":{"description":"DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.","type":"object","properties":{"config":{"description":"Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceClassConfiguration"},"x-kubernetes-list-type":"atomic"},"extendedResourceName":{"description":"ExtendedResourceName is the extended resource name for the devices of this class. The devices of this class can be used to satisfy a pod's extended resource requests. It has the same format as the name of a pod's extended resource. It should be unique among all the device classes in a cluster. If two device classes have the same name, then the class created later is picked to satisfy a pod's extended resource requests. If two classes are created at the same time, then the name of the class lexicographically sorted first is picked.\n\nThis is an alpha field.","type":"string"},"selectors":{"description":"Each selector must be satisfied by a device which is claimed via this class.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1beta1.DeviceClassSpec"},"io.k8s.api.resource.v1beta1.DeviceConstraint":{"description":"DeviceConstraint must have exactly one field set besides Requests.","type":"object","properties":{"distinctAttribute":{"description":"DistinctAttribute requires that all devices in question have this attribute and that its type and value are unique across those devices.\n\nThis acts as the inverse of MatchAttribute.\n\nThis constraint is used to avoid allocating multiple requests to the same device by ensuring attribute-level differentiation.\n\nThis is useful for scenarios where resource requests must be fulfilled by separate physical devices. For example, a container requests two network interfaces that must be allocated from two different physical NICs.","type":"string"},"matchAttribute":{"description":"MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.","type":"string"},"requests":{"description":"Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.\n\nReferences to subrequests must include the name of the main request and may include the subrequest using the format <main request>[/<subrequest>]. If just the main request is given, the constraint applies to all subrequests.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1beta1.DeviceConstraint"},"io.k8s.api.resource.v1beta1.DeviceCounterConsumption":{"description":"DeviceCounterConsumption defines a set of counters that a device will consume from a CounterSet.","type":"object","required":["counterSet","counters"],"properties":{"counterSet":{"description":"CounterSet is the name of the set from which the counters defined will be consumed.","type":"string"},"counters":{"description":"Counters defines the counters that will be consumed by the device.\n\nThe maximum number of counters is 32.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.Counter"}}},"title":"io.k8s.api.resource.v1beta1.DeviceCounterConsumption"},"io.k8s.api.resource.v1beta1.DeviceRequest":{"description":"DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.","type":"object","required":["name"],"properties":{"adminAccess":{"description":"AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device.  They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.","type":"boolean"},"allocationMode":{"description":"AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This request is for all of the matching devices in a pool.\n  At least one device must exist on the node for the allocation to succeed.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.\n\n\nPossible enum values:\n - `\"All\"`\n - `\"ExactCount\"`","type":"string","enum":["All","ExactCount"]},"capacity":{"description":"Capacity define resource requirements against each capacity.\n\nIf this field is unset and the device supports multiple allocations, the default value will be applied to each capacity according to requestPolicy. For the capacity that has no requestPolicy, default is the full capacity value.\n\nApplies to each device allocation. If Count > 1, the request fails if there aren't enough devices that meet the requirements. If AllocationMode is set to All, the request fails if there are devices that otherwise match the request, and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.CapacityRequirements"},"count":{"description":"Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.","type":"integer","format":"int64"},"deviceClassName":{"description":"DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required if no subrequests are specified in the firstAvailable list and no class can be set if subrequests are specified in the firstAvailable list. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.","type":"string"},"firstAvailable":{"description":"FirstAvailable contains subrequests, of which exactly one will be satisfied by the scheduler to satisfy this request. It tries to satisfy them in the order in which they are listed here. So if there are two entries in the list, the scheduler will only check the second one if it determines that the first one cannot be used.\n\nThis field may only be set in the entries of DeviceClaim.Requests.\n\nDRA does not yet implement scoring, so the scheduler will select the first set of devices that satisfies all the requests in the claim. And if the requirements can be satisfied on more than one node, other scheduling features will determine which node is chosen. This means that the set of devices allocated to a claim might not be the optimal set available to the cluster. Scoring will be implemented later.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceSubRequest"},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label and unique among all DeviceRequests in a ResourceClaim.","type":"string"},"selectors":{"description":"Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector"},"x-kubernetes-list-type":"atomic"},"tolerations":{"description":"If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceToleration"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1beta1.DeviceRequest"},"io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult":{"description":"DeviceRequestAllocationResult contains the allocation result for one request.","type":"object","required":["request","driver","pool","device"],"properties":{"adminAccess":{"description":"AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.","type":"boolean"},"bindingConditions":{"description":"BindingConditions contains a copy of the BindingConditions from the corresponding ResourceSlice at the time of allocation.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"bindingFailureConditions":{"description":"BindingFailureConditions contains a copy of the BindingFailureConditions from the corresponding ResourceSlice at the time of allocation.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"consumedCapacity":{"description":"ConsumedCapacity tracks the amount of capacity consumed per device as part of the claim request. The consumed amount may differ from the requested amount: it is rounded up to the nearest valid value based on the device’s requestPolicy if applicable (i.e., may not be less than the requested amount).\n\nThe total consumed capacity for each device must not exceed the DeviceCapacity's Value.\n\nThis field is populated only for devices that allow multiple allocations. All capacity entries are included, even if the consumed amount is zero.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"device":{"description":"Device references one device instance via its name in the driver's resource pool. It must be a DNS label.","type":"string"},"driver":{"description":"Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.","type":"string"},"pool":{"description":"This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.","type":"string"},"request":{"description":"Request is the name of the request in the claim which caused this device to be allocated. If it references a subrequest in the firstAvailable list on a DeviceRequest, this field must include both the name of the main request and the subrequest using the format <main request>/<subrequest>.\n\nMultiple devices may have been allocated per request.","type":"string"},"shareID":{"description":"ShareID uniquely identifies an individual allocation share of the device, used when the device supports multiple simultaneous allocations. It serves as an additional map key to differentiate concurrent shares of the same device.","type":"string"},"tolerations":{"description":"A copy of all tolerations specified in the request at the time when the device got allocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceToleration"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult"},"io.k8s.api.resource.v1beta1.DeviceSelector":{"description":"DeviceSelector must have exactly one field set.","type":"object","properties":{"cel":{"description":"CEL contains a CEL expression for selecting a device.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.CELDeviceSelector"}},"title":"io.k8s.api.resource.v1beta1.DeviceSelector"},"io.k8s.api.resource.v1beta1.DeviceSubRequest":{"description":"DeviceSubRequest describes a request for device provided in the claim.spec.devices.requests[].firstAvailable array. Each is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nDeviceSubRequest is similar to Request, but doesn't expose the AdminAccess or FirstAvailable fields, as those can only be set on the top-level request. AdminAccess is not supported for requests with a prioritized list, and recursive FirstAvailable fields are not supported.","type":"object","required":["name","deviceClassName"],"properties":{"allocationMode":{"description":"AllocationMode and its related fields define how devices are allocated to satisfy this subrequest. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This subrequest is for all of the matching devices in a pool.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other subrequests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.\n\n\nPossible enum values:\n - `\"All\"`\n - `\"ExactCount\"`","type":"string","enum":["All","ExactCount"]},"capacity":{"description":"Capacity define resource requirements against each capacity.\n\nIf this field is unset and the device supports multiple allocations, the default value will be applied to each capacity according to requestPolicy. For the capacity that has no requestPolicy, default is the full capacity value.\n\nApplies to each device allocation. If Count > 1, the request fails if there aren't enough devices that meet the requirements. If AllocationMode is set to All, the request fails if there are devices that otherwise match the request, and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.CapacityRequirements"},"count":{"description":"Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.","type":"integer","format":"int64"},"deviceClassName":{"description":"DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this subrequest.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.","type":"string"},"name":{"description":"Name can be used to reference this subrequest in the list of constraints or the list of configurations for the claim. References must use the format <main request>/<subrequest>.\n\nMust be a DNS label.","type":"string"},"selectors":{"description":"Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this subrequest. All selectors must be satisfied for a device to be considered.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector"},"x-kubernetes-list-type":"atomic"},"tolerations":{"description":"If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceToleration"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1beta1.DeviceSubRequest"},"io.k8s.api.resource.v1beta1.DeviceTaint":{"description":"The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.","type":"object","required":["key","effect"],"properties":{"effect":{"description":"The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.\n - `\"None\"` No effect, the taint is purely informational.","type":"string","enum":["NoExecute","NoSchedule","None"]},"key":{"description":"The taint key to be applied to a device. Must be a label name.","type":"string"},"timeAdded":{"description":"TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"value":{"description":"The taint value corresponding to the taint key. Must be a label value.","type":"string"}},"title":"io.k8s.api.resource.v1beta1.DeviceTaint"},"io.k8s.api.resource.v1beta1.DeviceToleration":{"description":"The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.","type":"object","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.\n - `\"None\"` No effect, the taint is purely informational.","type":"string","enum":["NoExecute","NoSchedule","None"]},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. Must be a label name.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a ResourceClaim can tolerate all taints of a particular category.\n\n\nPossible enum values:\n - `\"Equal\"`\n - `\"Exists\"`","type":"string","enum":["Equal","Exists"]},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. If larger than zero, the time when the pod needs to be evicted is calculated as <time when taint was adedd> + <toleration seconds>.","type":"integer","format":"int64"},"value":{"description":"Value is the taint value the toleration matches to. If the operator is Exists, the value must be empty, otherwise just a regular string. Must be a label value.","type":"string"}},"title":"io.k8s.api.resource.v1beta1.DeviceToleration"},"io.k8s.api.resource.v1beta1.NetworkDeviceData":{"description":"NetworkDeviceData provides network-related details for the allocated device. This information may be filled by drivers or other components to configure or identify the device within a network context.","type":"object","properties":{"hardwareAddress":{"description":"HardwareAddress represents the hardware address (e.g. MAC Address) of the device's network interface.\n\nMust not be longer than 128 characters.","type":"string"},"interfaceName":{"description":"InterfaceName specifies the name of the network interface associated with the allocated device. This might be the name of a physical or virtual network interface being configured in the pod.\n\nMust not be longer than 256 characters.","type":"string"},"ips":{"description":"IPs lists the network addresses assigned to the device's network interface. This can include both IPv4 and IPv6 addresses. The IPs are in the CIDR notation, which includes both the address and the associated subnet mask. e.g.: \"192.0.2.5/24\" for IPv4 and \"2001:db8::5/64\" for IPv6.\n\nMust not contain more than 16 entries.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1beta1.NetworkDeviceData"},"io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration":{"description":"OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.","type":"object","required":["driver","parameters"],"properties":{"driver":{"description":"Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.","type":"string"},"parameters":{"description":"Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki.","$ref":"#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension"}},"title":"io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration"},"io.k8s.api.resource.v1beta1.ResourceClaim":{"description":"ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec describes what is being requested and how to configure it. The spec is immutable.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec"},"status":{"description":"Status describes whether the claim is ready to use and what has been allocated.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimStatus"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceClaim","version":"v1beta1"}],"title":"io.k8s.api.resource.v1beta1.ResourceClaim"},"io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference":{"description":"ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.","type":"object","required":["resource","name","uid"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.","type":"string"},"name":{"description":"Name is the name of resource being referenced.","type":"string"},"resource":{"description":"Resource is the type of resource being referenced, for example \"pods\".","type":"string"},"uid":{"description":"UID identifies exactly one incarnation of the resource.","type":"string"}},"title":"io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference"},"io.k8s.api.resource.v1beta1.ResourceClaimList":{"description":"ResourceClaimList is a collection of claims.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of resource claims.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.ResourceClaim"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceClaimList","version":"v1beta1"}],"title":"io.k8s.api.resource.v1beta1.ResourceClaimList"},"io.k8s.api.resource.v1beta1.ResourceClaimSpec":{"description":"ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.","type":"object","properties":{"devices":{"description":"Devices defines how to request devices.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceClaim"}},"title":"io.k8s.api.resource.v1beta1.ResourceClaimSpec"},"io.k8s.api.resource.v1beta1.ResourceClaimStatus":{"description":"ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.","type":"object","properties":{"allocation":{"description":"Allocation is set once the claim has been allocated successfully.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.AllocationResult"},"devices":{"description":"Devices contains the status of each device allocated for this claim, as reported by the driver. This can include driver-specific information. Entries are owned by their respective drivers.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.AllocatedDeviceStatus"},"x-kubernetes-list-map-keys":["driver","device","pool","shareID"],"x-kubernetes-list-type":"map"},"reservedFor":{"description":"ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 256 such reservations. This may get increased in the future, but not reduced.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference"},"x-kubernetes-list-map-keys":["uid"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"uid","x-kubernetes-patch-strategy":"merge"}},"title":"io.k8s.api.resource.v1beta1.ResourceClaimStatus"},"io.k8s.api.resource.v1beta1.ResourceClaimTemplate":{"description":"ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceClaimTemplate","version":"v1beta1"}],"title":"io.k8s.api.resource.v1beta1.ResourceClaimTemplate"},"io.k8s.api.resource.v1beta1.ResourceClaimTemplateList":{"description":"ResourceClaimTemplateList is a collection of claim templates.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of resource claim templates.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplate"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceClaimTemplateList","version":"v1beta1"}],"title":"io.k8s.api.resource.v1beta1.ResourceClaimTemplateList"},"io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec":{"description":"ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.","type":"object","required":["spec"],"properties":{"metadata":{"description":"ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec"}},"title":"io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec"},"io.k8s.api.resource.v1beta1.ResourcePool":{"description":"ResourcePool describes the pool that ResourceSlices belong to.","type":"object","required":["name","generation","resourceSliceCount"],"properties":{"generation":{"description":"Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.","type":"integer","format":"int64"},"name":{"description":"Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.","type":"string"},"resourceSliceCount":{"description":"ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.","type":"integer","format":"int64"}},"title":"io.k8s.api.resource.v1beta1.ResourcePool"},"io.k8s.api.resource.v1beta1.ResourceSlice":{"description":"ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceSpec"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceSlice","version":"v1beta1"}],"title":"io.k8s.api.resource.v1beta1.ResourceSlice"},"io.k8s.api.resource.v1beta1.ResourceSliceList":{"description":"ResourceSliceList is a collection of ResourceSlices.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of resource ResourceSlices.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.ResourceSlice"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceSliceList","version":"v1beta1"}],"title":"io.k8s.api.resource.v1beta1.ResourceSliceList"},"io.k8s.api.resource.v1beta1.ResourceSliceSpec":{"description":"ResourceSliceSpec contains the information published by the driver in one ResourceSlice.","type":"object","required":["driver","pool"],"properties":{"allNodes":{"description":"AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.","type":"boolean"},"devices":{"description":"Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.Device"},"x-kubernetes-list-type":"atomic"},"driver":{"description":"Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters. This field is immutable.","type":"string"},"nodeName":{"description":"NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set. This field is immutable.","type":"string"},"nodeSelector":{"description":"NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.","$ref":"#/definitions/io.k8s.api.core.v1.NodeSelector"},"perDeviceNodeSelection":{"description":"PerDeviceNodeSelection defines whether the access from nodes to resources in the pool is set on the ResourceSlice level or on each device. If it is set to true, every device defined the ResourceSlice must specify this individually.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.","type":"boolean"},"pool":{"description":"Pool describes the pool that this ResourceSlice belongs to.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.ResourcePool"},"sharedCounters":{"description":"SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the counter sets must be unique in the ResourcePool.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.\n\nThe maximum number of counter sets is 8.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.CounterSet"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.resource.v1beta1.ResourceSliceSpec"},"io.k8s.api.scheduling.v1.PriorityClass":{"description":"PriorityClass defines mapping from a priority class name to the priority integer value. The value can be any valid integer.","type":"object","required":["value"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"description":{"description":"description is an arbitrary string that usually provides guidelines on when this priority class should be used.","type":"string"},"globalDefault":{"description":"globalDefault specifies whether this PriorityClass should be considered as the default priority for pods that do not have any priority class. Only one PriorityClass can be marked as `globalDefault`. However, if more than one PriorityClasses exists with their `globalDefault` field set to true, the smallest value of such global default PriorityClasses will be used as the default priority.","type":"boolean"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"preemptionPolicy":{"description":"preemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.\n\nPossible enum values:\n - `\"Never\"` means that pod never preempts other pods with lower priority.\n - `\"PreemptLowerPriority\"` means that pod can preempt other pods with lower priority.","type":"string","enum":["Never","PreemptLowerPriority"]},"value":{"description":"value represents the integer value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.","type":"integer","format":"int32"}},"x-kubernetes-group-version-kind":[{"group":"scheduling.k8s.io","kind":"PriorityClass","version":"v1"}],"title":"io.k8s.api.scheduling.v1.PriorityClass"},"io.k8s.api.scheduling.v1.PriorityClassList":{"description":"PriorityClassList is a collection of priority classes.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of PriorityClasses","type":"array","items":{"$ref":"#/definitions/io.k8s.api.scheduling.v1.PriorityClass"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"scheduling.k8s.io","kind":"PriorityClassList","version":"v1"}],"title":"io.k8s.api.scheduling.v1.PriorityClassList"},"io.k8s.api.storage.v1.CSIDriver":{"description":"CSIDriver captures information about a Container Storage Interface (CSI) volume driver deployed on the cluster. Kubernetes attach detach controller uses this object to determine whether attach is required. Kubelet uses this object to determine whether pod information needs to be passed on mount. CSIDriver objects are non-namespaced.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata. metadata.Name indicates the name of the CSI driver that this object refers to; it MUST be the same name returned by the CSI GetPluginName() call for that driver. The driver name must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and alphanumerics between. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec represents the specification of the CSI Driver.","$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriverSpec"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"CSIDriver","version":"v1"}],"title":"io.k8s.api.storage.v1.CSIDriver"},"io.k8s.api.storage.v1.CSIDriverList":{"description":"CSIDriverList is a collection of CSIDriver objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of CSIDriver","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriver"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"CSIDriverList","version":"v1"}],"title":"io.k8s.api.storage.v1.CSIDriverList"},"io.k8s.api.storage.v1.CSIDriverSpec":{"description":"CSIDriverSpec is the specification of a CSIDriver.","type":"object","properties":{"attachRequired":{"description":"attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.\n\nThis field is immutable.","type":"boolean"},"fsGroupPolicy":{"description":"fsGroupPolicy defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details.\n\nThis field was immutable in Kubernetes < 1.29 and now is mutable.\n\nDefaults to ReadWriteOnceWithFSType, which will examine each volume to determine if Kubernetes should modify ownership and permissions of the volume. With the default policy the defined fsGroup will only be applied if a fstype is defined and the volume's access mode contains ReadWriteOnce.","type":"string"},"nodeAllocatableUpdatePeriodSeconds":{"description":"nodeAllocatableUpdatePeriodSeconds specifies the interval between periodic updates of the CSINode allocatable capacity for this driver. When set, both periodic updates and updates triggered by capacity-related failures are enabled. If not set, no updates occur (neither periodic nor upon detecting capacity-related failures), and the allocatable.count remains static. The minimum allowed value for this field is 10 seconds.\n\nThis is a beta feature and requires the MutableCSINodeAllocatableCount feature gate to be enabled.\n\nThis field is mutable.","type":"integer","format":"int64"},"podInfoOnMount":{"description":"podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations, if set to true. If set to false, pod information will not be passed on mount. Default is false.\n\nThe CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext.\n\nThe following VolumeContext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. \"csi.storage.k8s.io/pod.name\": pod.Name \"csi.storage.k8s.io/pod.namespace\": pod.Namespace \"csi.storage.k8s.io/pod.uid\": string(pod.UID) \"csi.storage.k8s.io/ephemeral\": \"true\" if the volume is an ephemeral inline volume\n                                defined by a CSIVolumeSource, otherwise \"false\"\n\n\"csi.storage.k8s.io/ephemeral\" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the \"Persistent\" and \"Ephemeral\" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.\n\nThis field was immutable in Kubernetes < 1.29 and now is mutable.","type":"boolean"},"requiresRepublish":{"description":"requiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.\n\nNote: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.","type":"boolean"},"seLinuxMount":{"description":"seLinuxMount specifies if the CSI driver supports \"-o context\" mount option.\n\nWhen \"true\", the CSI driver must ensure that all volumes provided by this CSI driver can be mounted separately with different `-o context` options. This is typical for storage backends that provide volumes as filesystems on block devices or as independent shared volumes. Kubernetes will call NodeStage / NodePublish with \"-o context=xyz\" mount option when mounting a ReadWriteOncePod volume used in Pod that has explicitly set SELinux context. In the future, it may be expanded to other volume AccessModes. In any case, Kubernetes will ensure that the volume is mounted only with a single SELinux context.\n\nWhen \"false\", Kubernetes won't pass any special SELinux mount options to the driver. This is typical for volumes that represent subdirectories of a bigger shared filesystem.\n\nDefault is \"false\".","type":"boolean"},"serviceAccountTokenInSecrets":{"description":"serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that service account tokens should be passed via the Secrets field in NodePublishVolumeRequest instead of the VolumeContext field. The CSI specification provides a dedicated Secrets field for sensitive information like tokens, which is the appropriate mechanism for handling credentials. This addresses security concerns where sensitive tokens were being logged as part of volume context.\n\nWhen \"true\", kubelet will pass the tokens only in the Secrets field with the key \"csi.storage.k8s.io/serviceAccount.tokens\". The CSI driver must be updated to read tokens from the Secrets field instead of VolumeContext.\n\nWhen \"false\" or not set, kubelet will pass the tokens in VolumeContext with the key \"csi.storage.k8s.io/serviceAccount.tokens\" (existing behavior). This maintains backward compatibility with existing CSI drivers.\n\nThis field can only be set when TokenRequests is configured. The API server will reject CSIDriver specs that set this field without TokenRequests.\n\nDefault behavior if unset is to pass tokens in the VolumeContext field.","type":"boolean"},"storageCapacity":{"description":"storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information, if set to true.\n\nThe check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.\n\nAlternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.\n\nThis field was immutable in Kubernetes <= 1.22 and now is mutable.","type":"boolean"},"tokenRequests":{"description":"tokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: \"csi.storage.k8s.io/serviceAccount.tokens\": {\n  \"<audience>\": {\n    \"token\": <token>,\n    \"expirationTimestamp\": <expiration timestamp in RFC3339>,\n  },\n  ...\n}\n\nNote: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.TokenRequest"},"x-kubernetes-list-type":"atomic"},"volumeLifecycleModes":{"description":"volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is \"Persistent\", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism.\n\nThe other mode is \"Ephemeral\". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume.\n\nFor more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future.\n\nThis field is beta. This field is immutable.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"}},"title":"io.k8s.api.storage.v1.CSIDriverSpec"},"io.k8s.api.storage.v1.CSINode":{"description":"CSINode holds information about all CSI drivers installed on a node. CSI drivers do not need to create the CSINode object directly. As long as they use the node-driver-registrar sidecar container, the kubelet will automatically populate the CSINode object for the CSI driver as part of kubelet plugin registration. CSINode has the same name as a node. If the object is missing, it means either there are no CSI Drivers available on the node, or the Kubelet version is low enough that it doesn't create this object. CSINode has an OwnerReference that points to the corresponding node object.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. metadata.name must be the Kubernetes node name.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec is the specification of CSINode","$ref":"#/definitions/io.k8s.api.storage.v1.CSINodeSpec"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"CSINode","version":"v1"}],"title":"io.k8s.api.storage.v1.CSINode"},"io.k8s.api.storage.v1.CSINodeDriver":{"description":"CSINodeDriver holds information about the specification of one CSI driver installed on a node","type":"object","required":["name","nodeID"],"properties":{"allocatable":{"description":"allocatable represents the volume resources of a node that are available for scheduling. This field is beta.","$ref":"#/definitions/io.k8s.api.storage.v1.VolumeNodeResources"},"name":{"description":"name represents the name of the CSI driver that this object refers to. This MUST be the same name returned by the CSI GetPluginName() call for that driver.","type":"string"},"nodeID":{"description":"nodeID of the node from the driver point of view. This field enables Kubernetes to communicate with storage systems that do not share the same nomenclature for nodes. For example, Kubernetes may refer to a given node as \"node1\", but the storage system may refer to the same node as \"nodeA\". When Kubernetes issues a command to the storage system to attach a volume to a specific node, it can use this field to refer to the node name using the ID that the storage system will understand, e.g. \"nodeA\" instead of \"node1\". This field is required.","type":"string"},"topologyKeys":{"description":"topologyKeys is the list of keys supported by the driver. When a driver is initialized on a cluster, it provides a set of topology keys that it understands (e.g. \"company.com/zone\", \"company.com/region\"). When a driver is initialized on a node, it provides the same topology keys along with values. Kubelet will expose these topology keys as labels on its own node object. When Kubernetes does topology aware provisioning, it can use this list to determine which labels it should retrieve from the node object and pass back to the driver. It is possible for different nodes to use different topology keys. This can be empty if driver does not support topology.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.api.storage.v1.CSINodeDriver"},"io.k8s.api.storage.v1.CSINodeList":{"description":"CSINodeList is a collection of CSINode objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of CSINode","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"CSINodeList","version":"v1"}],"title":"io.k8s.api.storage.v1.CSINodeList"},"io.k8s.api.storage.v1.CSINodeSpec":{"description":"CSINodeSpec holds information about the specification of all CSI drivers installed on a node","type":"object","required":["drivers"],"properties":{"drivers":{"description":"drivers is a list of information of all CSI Drivers existing on a node. If all drivers in the list are uninstalled, this can become empty.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINodeDriver"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"}},"title":"io.k8s.api.storage.v1.CSINodeSpec"},"io.k8s.api.storage.v1.CSIStorageCapacity":{"description":"CSIStorageCapacity stores the result of one CSI GetCapacity call. For a given StorageClass, this describes the available capacity in a particular topology segment.  This can be used when considering where to instantiate new PersistentVolumes.\n\nFor example this can express things like: - StorageClass \"standard\" has \"1234 GiB\" available in \"topology.kubernetes.io/zone=us-east1\" - StorageClass \"localssd\" has \"10 GiB\" available in \"kubernetes.io/hostname=knode-abc123\"\n\nThe following three cases all imply that no capacity is available for a certain combination: - no object exists with suitable topology and storage class name - such an object exists, but the capacity is unset - such an object exists, but the capacity is zero\n\nThe producer of these objects can decide which approach is more suitable.\n\nThey are consumed by the kube-scheduler when a CSI driver opts into capacity-aware scheduling with CSIDriverSpec.StorageCapacity. The scheduler compares the MaximumVolumeSize against the requested size of pending volumes to filter out unsuitable nodes. If MaximumVolumeSize is unset, it falls back to a comparison against the less precise Capacity. If that is also unset, the scheduler assumes that capacity is insufficient and tries some other node.","type":"object","required":["storageClassName"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"capacity":{"description":"capacity is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThe semantic is currently (CSI spec 1.2) defined as: The available capacity, in bytes, of the storage that can be used to provision volumes. If not set, that information is currently unavailable.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"maximumVolumeSize":{"description":"maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThis is defined since CSI spec 1.4.0 as the largest size that may be used in a CreateVolumeRequest.capacity_range.required_bytes field to create a volume with the same parameters as those in GetCapacityRequest. The corresponding value in the Kubernetes API is ResourceRequirements.Requests in a volume claim.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"metadata":{"description":"Standard object's metadata. The name has no particular meaning. It must be a DNS subdomain (dots allowed, 253 characters). To ensure that there are no conflicts with other CSI drivers on the cluster, the recommendation is to use csisc-<uuid>, a generated name, or a reverse-domain name which ends with the unique CSI driver name.\n\nObjects are namespaced.\n\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"nodeTopology":{"description":"nodeTopology defines which nodes have access to the storage for which capacity was reported. If not set, the storage is not accessible from any node in the cluster. If empty, the storage is accessible from all nodes. This field is immutable.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"storageClassName":{"description":"storageClassName represents the name of the StorageClass that the reported capacity applies to. It must meet the same requirements as the name of a StorageClass object (non-empty, DNS subdomain). If that object no longer exists, the CSIStorageCapacity object is obsolete and should be removed by its creator. This field is immutable.","type":"string"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"CSIStorageCapacity","version":"v1"}],"title":"io.k8s.api.storage.v1.CSIStorageCapacity"},"io.k8s.api.storage.v1.CSIStorageCapacityList":{"description":"CSIStorageCapacityList is a collection of CSIStorageCapacity objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of CSIStorageCapacity objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"CSIStorageCapacityList","version":"v1"}],"title":"io.k8s.api.storage.v1.CSIStorageCapacityList"},"io.k8s.api.storage.v1.StorageClass":{"description":"StorageClass describes the parameters for a class of storage for which PersistentVolumes can be dynamically provisioned.\n\nStorageClasses are non-namespaced; the name of the storage class according to etcd is in ObjectMeta.Name.","type":"object","required":["provisioner"],"properties":{"allowVolumeExpansion":{"description":"allowVolumeExpansion shows whether the storage class allow volume expand.","type":"boolean"},"allowedTopologies":{"description":"allowedTopologies restrict the node topologies where volumes can be dynamically provisioned. Each volume plugin defines its own supported topology specifications. An empty TopologySelectorTerm list means there is no topology restriction. This field is only honored by servers that enable the VolumeScheduling feature.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.TopologySelectorTerm"},"x-kubernetes-list-type":"atomic"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"mountOptions":{"description":"mountOptions controls the mountOptions for dynamically provisioned PersistentVolumes of this storage class. e.g. [\"ro\", \"soft\"]. Not validated - mount of the PVs will simply fail if one is invalid.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"parameters":{"description":"parameters holds the parameters for the provisioner that should create volumes of this storage class.","type":"object","additionalProperties":{"type":"string"}},"provisioner":{"description":"provisioner indicates the type of the provisioner.","type":"string"},"reclaimPolicy":{"description":"reclaimPolicy controls the reclaimPolicy for dynamically provisioned PersistentVolumes of this storage class. Defaults to Delete.\n\nPossible enum values:\n - `\"Delete\"` means the volume will be deleted from Kubernetes on release from its claim. The volume plugin must support Deletion.\n - `\"Recycle\"` means the volume will be recycled back into the pool of unbound persistent volumes on release from its claim. The volume plugin must support Recycling.\n - `\"Retain\"` means the volume will be left in its current phase (Released) for manual reclamation by the administrator. The default policy is Retain.","type":"string","enum":["Delete","Recycle","Retain"]},"volumeBindingMode":{"description":"volumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound.  When unset, VolumeBindingImmediate is used. This field is only honored by servers that enable the VolumeScheduling feature.\n\nPossible enum values:\n - `\"Immediate\"` indicates that PersistentVolumeClaims should be immediately provisioned and bound. This is the default mode.\n - `\"WaitForFirstConsumer\"` indicates that PersistentVolumeClaims should not be provisioned and bound until the first Pod is created that references the PeristentVolumeClaim. The volume provisioning and binding will occur during Pod scheduing.","type":"string","enum":["Immediate","WaitForFirstConsumer"]}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"StorageClass","version":"v1"}],"title":"io.k8s.api.storage.v1.StorageClass"},"io.k8s.api.storage.v1.StorageClassList":{"description":"StorageClassList is a collection of storage classes.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of StorageClasses","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"StorageClassList","version":"v1"}],"title":"io.k8s.api.storage.v1.StorageClassList"},"io.k8s.api.storage.v1.TokenRequest":{"description":"TokenRequest contains parameters of a service account token.","type":"object","required":["audience"],"properties":{"audience":{"description":"audience is the intended audience of the token in \"TokenRequestSpec\". It will default to the audiences of kube apiserver.","type":"string"},"expirationSeconds":{"description":"expirationSeconds is the duration of validity of the token in \"TokenRequestSpec\". It has the same default value of \"ExpirationSeconds\" in \"TokenRequestSpec\".","type":"integer","format":"int64"}},"title":"io.k8s.api.storage.v1.TokenRequest"},"io.k8s.api.storage.v1.VolumeAttachment":{"description":"VolumeAttachment captures the intent to attach or detach the specified volume to/from the specified node.\n\nVolumeAttachment objects are non-namespaced.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec represents specification of the desired attach/detach volume behavior. Populated by the Kubernetes system.","$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachmentSpec"},"status":{"description":"status represents status of the VolumeAttachment request. Populated by the entity completing the attach or detach operation, i.e. the external-attacher.","$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachmentStatus"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"VolumeAttachment","version":"v1"}],"title":"io.k8s.api.storage.v1.VolumeAttachment"},"io.k8s.api.storage.v1.VolumeAttachmentList":{"description":"VolumeAttachmentList is a collection of VolumeAttachment objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of VolumeAttachments","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"VolumeAttachmentList","version":"v1"}],"title":"io.k8s.api.storage.v1.VolumeAttachmentList"},"io.k8s.api.storage.v1.VolumeAttachmentSource":{"description":"VolumeAttachmentSource represents a volume that should be attached. Right now only PersistentVolumes can be attached via external attacher, in the future we may allow also inline volumes in pods. Exactly one member can be set.","type":"object","properties":{"inlineVolumeSpec":{"description":"inlineVolumeSpec contains all the information necessary to attach a persistent volume defined by a pod's inline VolumeSource. This field is populated only for the CSIMigration feature. It contains translated fields from a pod's inline VolumeSource to a PersistentVolumeSpec. This field is beta-level and is only honored by servers that enabled the CSIMigration feature.","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeSpec"},"persistentVolumeName":{"description":"persistentVolumeName represents the name of the persistent volume to attach.","type":"string"}},"title":"io.k8s.api.storage.v1.VolumeAttachmentSource"},"io.k8s.api.storage.v1.VolumeAttachmentSpec":{"description":"VolumeAttachmentSpec is the specification of a VolumeAttachment request.","type":"object","required":["attacher","source","nodeName"],"properties":{"attacher":{"description":"attacher indicates the name of the volume driver that MUST handle this request. This is the name returned by GetPluginName().","type":"string"},"nodeName":{"description":"nodeName represents the node that the volume should be attached to.","type":"string"},"source":{"description":"source represents the volume that should be attached.","$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachmentSource"}},"title":"io.k8s.api.storage.v1.VolumeAttachmentSpec"},"io.k8s.api.storage.v1.VolumeAttachmentStatus":{"description":"VolumeAttachmentStatus is the status of a VolumeAttachment request.","type":"object","required":["attached"],"properties":{"attachError":{"description":"attachError represents the last error encountered during attach operation, if any. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.","$ref":"#/definitions/io.k8s.api.storage.v1.VolumeError"},"attached":{"description":"attached indicates the volume is successfully attached. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.","type":"boolean"},"attachmentMetadata":{"description":"attachmentMetadata is populated with any information returned by the attach operation, upon successful attach, that must be passed into subsequent WaitForAttach or Mount calls. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.","type":"object","additionalProperties":{"type":"string"}},"detachError":{"description":"detachError represents the last error encountered during detach operation, if any. This field must only be set by the entity completing the detach operation, i.e. the external-attacher.","$ref":"#/definitions/io.k8s.api.storage.v1.VolumeError"}},"title":"io.k8s.api.storage.v1.VolumeAttachmentStatus"},"io.k8s.api.storage.v1.VolumeAttributesClass":{"description":"VolumeAttributesClass represents a specification of mutable volume attributes defined by the CSI driver. The class can be specified during dynamic provisioning of PersistentVolumeClaims, and changed in the PersistentVolumeClaim spec after provisioning.","type":"object","required":["driverName"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"driverName":{"description":"Name of the CSI driver This field is immutable.","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"parameters":{"description":"parameters hold volume attributes defined by the CSI driver. These values are opaque to the Kubernetes and are passed directly to the CSI driver. The underlying storage provider supports changing these attributes on an existing volume, however the parameters field itself is immutable. To invoke a volume update, a new VolumeAttributesClass should be created with new parameters, and the PersistentVolumeClaim should be updated to reference the new VolumeAttributesClass.\n\nThis field is required and must contain at least one key/value pair. The keys cannot be empty, and the maximum number of parameters is 512, with a cumulative max size of 256K. If the CSI driver rejects invalid parameters, the target PersistentVolumeClaim will be set to an \"Infeasible\" state in the modifyVolumeStatus field.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"VolumeAttributesClass","version":"v1"}],"title":"io.k8s.api.storage.v1.VolumeAttributesClass"},"io.k8s.api.storage.v1.VolumeAttributesClassList":{"description":"VolumeAttributesClassList is a collection of VolumeAttributesClass objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of VolumeAttributesClass objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"VolumeAttributesClassList","version":"v1"}],"title":"io.k8s.api.storage.v1.VolumeAttributesClassList"},"io.k8s.api.storage.v1.VolumeError":{"description":"VolumeError captures an error encountered during a volume operation.","type":"object","properties":{"errorCode":{"description":"errorCode is a numeric gRPC code representing the error encountered during Attach or Detach operations.\n\nThis is an optional, beta field that requires the MutableCSINodeAllocatableCount feature gate being enabled to be set.","type":"integer","format":"int32"},"message":{"description":"message represents the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.","type":"string"},"time":{"description":"time represents the time the error was encountered.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"}},"title":"io.k8s.api.storage.v1.VolumeError"},"io.k8s.api.storage.v1.VolumeNodeResources":{"description":"VolumeNodeResources is a set of resource limits for scheduling of volumes.","type":"object","properties":{"count":{"description":"count indicates the maximum number of unique volumes managed by the CSI driver that can be used on a node. A volume that is both attached and mounted on a node is considered to be used once, not twice. The same rule applies for a unique volume that is shared among multiple pods on the same node. If this field is not specified, then the supported number of volumes on this node is unbounded.","type":"integer","format":"int32"}},"title":"io.k8s.api.storage.v1.VolumeNodeResources"},"io.k8s.api.storage.v1beta1.VolumeAttributesClass":{"description":"VolumeAttributesClass represents a specification of mutable volume attributes defined by the CSI driver. The class can be specified during dynamic provisioning of PersistentVolumeClaims, and changed in the PersistentVolumeClaim spec after provisioning.","type":"object","required":["driverName"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"driverName":{"description":"Name of the CSI driver This field is immutable.","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"parameters":{"description":"parameters hold volume attributes defined by the CSI driver. These values are opaque to the Kubernetes and are passed directly to the CSI driver. The underlying storage provider supports changing these attributes on an existing volume, however the parameters field itself is immutable. To invoke a volume update, a new VolumeAttributesClass should be created with new parameters, and the PersistentVolumeClaim should be updated to reference the new VolumeAttributesClass.\n\nThis field is required and must contain at least one key/value pair. The keys cannot be empty, and the maximum number of parameters is 512, with a cumulative max size of 256K. If the CSI driver rejects invalid parameters, the target PersistentVolumeClaim will be set to an \"Infeasible\" state in the modifyVolumeStatus field.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"VolumeAttributesClass","version":"v1beta1"}],"title":"io.k8s.api.storage.v1beta1.VolumeAttributesClass"},"io.k8s.api.storage.v1beta1.VolumeAttributesClassList":{"description":"VolumeAttributesClassList is a collection of VolumeAttributesClass objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of VolumeAttributesClass objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1beta1.VolumeAttributesClass"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"VolumeAttributesClassList","version":"v1beta1"}],"title":"io.k8s.api.storage.v1beta1.VolumeAttributesClassList"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceColumnDefinition":{"description":"CustomResourceColumnDefinition specifies a column for server side printing.","type":"object","required":["name","type","jsonPath"],"properties":{"description":{"description":"description is a human readable description of this column.","type":"string"},"format":{"description":"format is an optional OpenAPI type definition for this column. The 'name' format is applied to the primary identifier column to assist in clients identifying column is the resource name. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.","type":"string"},"jsonPath":{"description":"jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against each custom resource to produce the value for this column.","type":"string"},"name":{"description":"name is a human readable name for the column.","type":"string"},"priority":{"description":"priority is an integer defining the relative importance of this column compared to others. Lower numbers are considered higher priority. Columns that may be omitted in limited space scenarios should be given a priority greater than 0.","type":"integer","format":"int32"},"type":{"description":"type is an OpenAPI type definition for this column. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.","type":"string"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceColumnDefinition"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceConversion":{"description":"CustomResourceConversion describes how to convert different versions of a CR.","type":"object","required":["strategy"],"properties":{"strategy":{"description":"strategy specifies how custom resources are converted between versions. Allowed values are: - `\"None\"`: The converter only change the apiVersion and would not touch any other field in the custom resource. - `\"Webhook\"`: API Server will call to an external webhook to do the conversion. Additional information\n  is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.","type":"string"},"webhook":{"description":"webhook describes how to call the conversion webhook. Required when `strategy` is set to `\"Webhook\"`.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookConversion"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceConversion"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition":{"description":"CustomResourceDefinition represents a resource that should be exposed on the API server.  Its name MUST be in the format <.spec.name>.<.spec.group>.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec describes how the user wants the resources to appear","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec"},"status":{"description":"status indicates the actual state of the CustomResourceDefinition","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionStatus"}},"x-kubernetes-group-version-kind":[{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}],"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionCondition":{"description":"CustomResourceDefinitionCondition contains details for the current condition of this pod.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"message is a human-readable message indicating details about last transition.","type":"string"},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.","type":"integer","format":"int64"},"reason":{"description":"reason is a unique, one-word, CamelCase reason for the condition's last transition.","type":"string"},"status":{"description":"status is the status of the condition. Can be True, False, Unknown.","type":"string"},"type":{"description":"type is the type of the condition. Types include Established, NamesAccepted and Terminating.","type":"string"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionCondition"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionList":{"description":"CustomResourceDefinitionList is a list of CustomResourceDefinition objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items list individual CustomResourceDefinition objects","type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinitionList","version":"v1"}],"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionList"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames":{"description":"CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition","type":"object","required":["plural","kind"],"properties":{"categories":{"description":"categories is a list of grouped resources this custom resource belongs to (e.g. 'all'). This is published in API discovery documents, and used by clients to support invocations like `kubectl get all`.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"kind":{"description":"kind is the serialized kind of the resource. It is normally CamelCase and singular. Custom resource instances will use this value as the `kind` attribute in API calls.","type":"string"},"listKind":{"description":"listKind is the serialized kind of the list for this resource. Defaults to \"`kind`List\".","type":"string"},"plural":{"description":"plural is the plural name of the resource to serve. The custom resources are served under `/apis/<group>/<version>/.../<plural>`. Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`). Must be all lowercase.","type":"string"},"shortNames":{"description":"shortNames are short names for the resource, exposed in API discovery documents, and used by clients to support invocations like `kubectl get <shortname>`. It must be all lowercase.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"singular":{"description":"singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.","type":"string"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec":{"description":"CustomResourceDefinitionSpec describes how a user wants their resource to appear","type":"object","required":["group","names","scope","versions"],"properties":{"conversion":{"description":"conversion defines conversion settings for the CRD.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceConversion"},"group":{"description":"group is the API group of the defined custom resource. The custom resources are served under `/apis/<group>/...`. Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).","type":"string"},"names":{"description":"names specify the resource and kind names for the custom resource.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames"},"preserveUnknownFields":{"description":"preserveUnknownFields indicates that object fields which are not specified in the OpenAPI schema should be preserved when persisting to storage. apiVersion, kind, metadata and known fields inside metadata are always preserved. This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`. See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details.","type":"boolean"},"scope":{"description":"scope indicates whether the defined custom resource is cluster- or namespace-scoped. Allowed values are `Cluster` and `Namespaced`.","type":"string"},"versions":{"description":"versions is the list of all API versions of the defined custom resource. Version names are used to compute the order in which served versions are listed in API discovery. If the version string is \"kube-like\", it will sort above non \"kube-like\" version strings, which are ordered lexicographically. \"Kube-like\" versions start with a \"v\", then are followed by a number (the major version), then optionally the string \"alpha\" or \"beta\" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.","type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionVersion"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionStatus":{"description":"CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition","type":"object","properties":{"acceptedNames":{"description":"acceptedNames are the names that are actually being used to serve discovery. They may be different than the names in spec.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames"},"conditions":{"description":"conditions indicate state for particular aspects of a CustomResourceDefinition","type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"observedGeneration":{"description":"The generation observed by the CRD controller.","type":"integer","format":"int64"},"storedVersions":{"description":"storedVersions lists all versions of CustomResources that were ever persisted. Tracking these versions allows a migration path for stored versions in etcd. The field is mutable so a migration controller can finish a migration to another version (ensuring no old objects are left in storage), and then remove the rest of the versions from this list. Versions may not be removed from `spec.versions` while they exist in this list.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionStatus"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionVersion":{"description":"CustomResourceDefinitionVersion describes a version for CRD.","type":"object","required":["name","served","storage"],"properties":{"additionalPrinterColumns":{"description":"additionalPrinterColumns specifies additional columns returned in Table output. See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details. If no columns are specified, a single column displaying the age of the custom resource is used.","type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceColumnDefinition"},"x-kubernetes-list-type":"atomic"},"deprecated":{"description":"deprecated indicates this version of the custom resource API is deprecated. When set to true, API requests to this version receive a warning header in the server response. Defaults to false.","type":"boolean"},"deprecationWarning":{"description":"deprecationWarning overrides the default warning returned to API clients. May only be set when `deprecated` is true. The default warning indicates this version is deprecated and recommends use of the newest served version of equal or greater stability, if one exists.","type":"string"},"name":{"description":"name is the version name, e.g. “v1”, “v2beta1”, etc. The custom resources are served under this version at `/apis/<group>/<version>/...` if `served` is true.","type":"string"},"schema":{"description":"schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceValidation"},"selectableFields":{"description":"selectableFields specifies paths to fields that may be used as field selectors. A maximum of 8 selectable fields are allowed. See https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors","type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.SelectableField"},"x-kubernetes-list-type":"atomic"},"served":{"description":"served is a flag enabling/disabling this version from being served via REST APIs","type":"boolean"},"storage":{"description":"storage indicates this version should be used when persisting custom resources to storage. There must be exactly one version with storage=true.","type":"boolean"},"subresources":{"description":"subresources specify what subresources this version of the defined custom resource have.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresources"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionVersion"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceScale":{"description":"CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.","type":"object","required":["specReplicasPath","statusReplicasPath"],"properties":{"labelSelectorPath":{"description":"labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.status` or `.spec`. Must be set to work with HorizontalPodAutoscaler. The field pointed by this JSON path must be a string field (not a complex selector struct) which contains a serialized label selector in string form. More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale` subresource will default to the empty string.","type":"string"},"specReplicasPath":{"description":"specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.spec`. If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.","type":"string"},"statusReplicasPath":{"description":"statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.status`. If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource will default to 0.","type":"string"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceScale"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceStatus":{"description":"CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources. Status is represented by the `.status` JSON path inside of a CustomResource. When set, * exposes a /status subresource for the custom resource * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza","type":"object","title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceStatus"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresources":{"description":"CustomResourceSubresources defines the status and scale subresources for CustomResources.","type":"object","properties":{"scale":{"description":"scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceScale"},"status":{"description":"status indicates the custom resource should serve a `/status` subresource. When enabled: 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object. 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceStatus"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresources"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceValidation":{"description":"CustomResourceValidation is a list of validation methods for CustomResources.","type":"object","properties":{"openAPIV3Schema":{"description":"openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceValidation"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ExternalDocumentation":{"description":"ExternalDocumentation allows referencing an external resource for extended documentation.","type":"object","properties":{"description":{"type":"string"},"url":{"type":"string"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ExternalDocumentation"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON":{"description":"JSON represents any valid JSON value. These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.","title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps":{"description":"JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).","type":"object","properties":{"$ref":{"type":"string"},"$schema":{"type":"string"},"additionalItems":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBool"},"additionalProperties":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBool"},"allOf":{"type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"},"x-kubernetes-list-type":"atomic"},"anyOf":{"type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"},"x-kubernetes-list-type":"atomic"},"default":{"description":"default is a default value for undefined object fields. Defaulting is a beta feature under the CustomResourceDefaulting feature gate. Defaulting requires spec.preserveUnknownFields to be false.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON"},"definitions":{"type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"}},"dependencies":{"type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrStringArray"}},"description":{"type":"string"},"enum":{"type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON"},"x-kubernetes-list-type":"atomic"},"example":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON"},"exclusiveMaximum":{"type":"boolean"},"exclusiveMinimum":{"type":"boolean"},"externalDocs":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ExternalDocumentation"},"format":{"description":"format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated:\n\n- bsonobjectid: a bson object ID, i.e. a 24 characters hex string - uri: an URI as parsed by Golang net/url.ParseRequestURI - email: an email address as parsed by Golang net/mail.ParseAddress - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034]. - ipv4: an IPv4 IP as parsed by Golang net.ParseIP - ipv6: an IPv6 IP as parsed by Golang net.ParseIP - cidr: a CIDR as parsed by Golang net.ParseCIDR - mac: a MAC address as parsed by Golang net.ParseMAC - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$ - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$ - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ - isbn: an ISBN10 or ISBN13 number string like \"0321751043\" or \"978-0321751041\" - isbn10: an ISBN10 number string like \"0321751043\" - isbn13: an ISBN13 number string like \"978-0321751041\" - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\\\d{3})\\\\d{11})$ with any non digit characters mixed in - ssn: a U.S. social security number following the regex ^\\\\d{3}[- ]?\\\\d{2}[- ]?\\\\d{4}$ - hexcolor: an hexadecimal color code like \"#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$ - rgbcolor: an RGB color code like rgb like \"rgb(255,255,2559\" - byte: base64 encoded binary data - password: any kind of string - date: a date string like \"2006-01-02\" as defined by full-date in RFC3339 - duration: a duration string like \"22 ns\" as parsed by Golang time.ParseDuration or compatible with Scala duration format - datetime: a date time string like \"2014-12-15T19:30:20.000Z\" as defined by date-time in RFC3339.","type":"string"},"id":{"type":"string"},"items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrArray"},"maxItems":{"type":"integer","format":"int64"},"maxLength":{"type":"integer","format":"int64"},"maxProperties":{"type":"integer","format":"int64"},"maximum":{"type":"number","format":"double"},"minItems":{"type":"integer","format":"int64"},"minLength":{"type":"integer","format":"int64"},"minProperties":{"type":"integer","format":"int64"},"minimum":{"type":"number","format":"double"},"multipleOf":{"type":"number","format":"double"},"not":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"},"nullable":{"type":"boolean"},"oneOf":{"type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"},"x-kubernetes-list-type":"atomic"},"pattern":{"type":"string"},"patternProperties":{"type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"}},"properties":{"type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"}},"required":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"title":{"type":"string"},"type":{"type":"string"},"uniqueItems":{"type":"boolean"},"x-kubernetes-embedded-resource":{"description":"x-kubernetes-embedded-resource defines that the value is an embedded Kubernetes runtime.Object, with TypeMeta and ObjectMeta. The type must be object. It is allowed to further restrict the embedded object. kind, apiVersion and metadata are validated automatically. x-kubernetes-preserve-unknown-fields is allowed to be true, but does not have to be if the object is fully specified (up to kind, apiVersion, metadata).","type":"boolean"},"x-kubernetes-int-or-string":{"description":"x-kubernetes-int-or-string specifies that this value is either an integer or a string. If this is true, an empty type is allowed and type as child of anyOf is permitted if following one of the following patterns:\n\n1) anyOf:\n   - type: integer\n   - type: string\n2) allOf:\n   - anyOf:\n     - type: integer\n     - type: string\n   - ... zero or more","type":"boolean"},"x-kubernetes-list-map-keys":{"description":"x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used as the index of the map.\n\nThis tag MUST only be used on lists that have the \"x-kubernetes-list-type\" extension set to \"map\". Also, the values specified for this attribute must be a scalar typed field of the child structure (no nesting is supported).\n\nThe properties specified must either be required or have a default value, to ensure those properties are present for all list items.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"x-kubernetes-list-type":{"description":"x-kubernetes-list-type annotates an array to further describe its topology. This extension must only be used on lists and may have 3 possible values:\n\n1) `atomic`: the list is treated as a single entity, like a scalar.\n     Atomic lists will be entirely replaced when updated. This extension\n     may be used on any type of list (struct, scalar, ...).\n2) `set`:\n     Sets are lists that must not have multiple items with the same value. Each\n     value must be a scalar, an object with x-kubernetes-map-type `atomic` or an\n     array with x-kubernetes-list-type `atomic`.\n3) `map`:\n     These lists are like maps in that their elements have a non-index key\n     used to identify them. Order is preserved upon merge. The map tag\n     must only be used on a list with elements of type object.\nDefaults to atomic for arrays.","type":"string"},"x-kubernetes-map-type":{"description":"x-kubernetes-map-type annotates an object to further describe its topology. This extension must only be used when type is object and may have 2 possible values:\n\n1) `granular`:\n     These maps are actual maps (key-value pairs) and each fields are independent\n     from each other (they can each be manipulated by separate actors). This is\n     the default behaviour for all maps.\n2) `atomic`: the list is treated as a single entity, like a scalar.\n     Atomic maps will be entirely replaced when updated.","type":"string"},"x-kubernetes-preserve-unknown-fields":{"description":"x-kubernetes-preserve-unknown-fields stops the API server decoding step from pruning fields which are not specified in the validation schema. This affects fields recursively, but switches back to normal pruning behaviour if nested properties or additionalProperties are specified in the schema. This can either be true or undefined. False is forbidden.","type":"boolean"},"x-kubernetes-validations":{"description":"x-kubernetes-validations describes a list of validation rules written in the CEL expression language.","type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ValidationRule"},"x-kubernetes-list-map-keys":["rule"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"rule","x-kubernetes-patch-strategy":"merge"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrArray":{"description":"JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps or an array of JSONSchemaProps. Mainly here for serialization purposes.","title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrArray"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBool":{"description":"JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. Defaults to true for the boolean property.","title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBool"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrStringArray":{"description":"JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array.","title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrStringArray"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.SelectableField":{"description":"SelectableField specifies the JSON path of a field that may be used with field selectors.","type":"object","required":["jsonPath"],"properties":{"jsonPath":{"description":"jsonPath is a simple JSON path which is evaluated against each custom resource to produce a field selector value. Only JSON paths without the array notation are allowed. Must point to a field of type string, boolean or integer. Types with enum values and strings with formats are allowed. If jsonPath refers to absent field in a resource, the jsonPath evaluates to an empty string. Must not point to metdata fields. Required.","type":"string"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.SelectableField"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ServiceReference":{"description":"ServiceReference holds a reference to Service.legacy.k8s.io","type":"object","required":["namespace","name"],"properties":{"name":{"description":"name is the name of the service. Required","type":"string"},"namespace":{"description":"namespace is the namespace of the service. Required","type":"string"},"path":{"description":"path is an optional URL path at which the webhook will be contacted.","type":"string"},"port":{"description":"port is an optional service port at which the webhook will be contacted. `port` should be a valid port number (1-65535, inclusive). Defaults to 443 for backward compatibility.","type":"integer","format":"int32"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ServiceReference"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ValidationRule":{"description":"ValidationRule describes a validation rule written in the CEL expression language.","type":"object","required":["rule"],"properties":{"fieldPath":{"description":"fieldPath represents the field path returned when the validation fails. It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field. e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo` If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList` It does not support list numeric index. It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info. Numeric index of array is not supported. For field name which contains special characters, use `['specialName']` to refer the field name. e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']`","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Rule contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\"","type":"string"},"messageExpression":{"description":"MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a rule, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the rule; the only difference is the return type. Example: \"x must be less than max (\"+string(self.max)+\")\"","type":"string"},"optionalOldSelf":{"description":"optionalOldSelf is used to opt a transition rule into evaluation even when the object is first created, or if the old object is missing the value.\n\nWhen enabled `oldSelf` will be a CEL optional whose value will be `None` if there is no old value, or when the object is initially created.\n\nYou may check for presence of oldSelf using `oldSelf.hasValue()` and unwrap it after checking using `oldSelf.value()`. Check the CEL documentation for Optional types for more information: https://pkg.go.dev/github.com/google/cel-go/cel#OptionalTypes\n\nMay not be set unless `oldSelf` is used in `rule`.","type":"boolean"},"reason":{"description":"reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule. The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule. The currently supported reasons are: \"FieldValueInvalid\", \"FieldValueForbidden\", \"FieldValueRequired\", \"FieldValueDuplicate\". If not set, default to use \"FieldValueInvalid\". All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid.\n\nPossible enum values:\n - `\"FieldValueDuplicate\"` is used to report collisions of values that must be unique (e.g. unique IDs).\n - `\"FieldValueForbidden\"` is used to report valid (as per formatting rules) values which would be accepted under some conditions, but which are not permitted by the current conditions (such as security policy).\n - `\"FieldValueInvalid\"` is used to report malformed values (e.g. failed regex match, too long, out of bounds).\n - `\"FieldValueRequired\"` is used to report required values that are not provided (e.g. empty strings, null values, or empty arrays).","type":"string","enum":["FieldValueDuplicate","FieldValueForbidden","FieldValueInvalid","FieldValueRequired"]},"rule":{"description":"Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the x-kubernetes-validations extension in the schema. The `self` variable in the CEL expression is bound to the scoped value. Example: - Rule scoped to the root of a resource with a status subresource: {\"rule\": \"self.status.actual <= self.spec.maxDesired\"}\n\nIf the Rule is scoped to an object with properties, the accessible properties of the object are field selectable via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as absent fields in CEL expressions. If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map are accessible via CEL macros and functions such as `self.all(...)`. If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and functions. If the Rule is scoped to a scalar, `self` is bound to the scalar value. Examples: - Rule scoped to a map of objects: {\"rule\": \"self.components['Widget'].priority < 10\"} - Rule scoped to a list of integers: {\"rule\": \"self.values.all(value, value >= 0 && value < 100)\"} - Rule scoped to a string value: {\"rule\": \"self.startsWith('kube')\"}\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible.\n\nUnknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL expressions. This includes: - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields. - Object properties where the property schema is of an \"unknown type\". An \"unknown type\" is recursively defined as:\n  - A schema with no type and x-kubernetes-preserve-unknown-fields set to true\n  - An array where the items schema is of an \"unknown type\"\n  - An object where the additionalProperties schema is of an \"unknown type\"\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Rule accessing a property named \"namespace\": {\"rule\": \"self.__namespace__ > 0\"}\n  - Rule accessing a property named \"x-prop\": {\"rule\": \"self.x__dash__prop > 0\"}\n  - Rule accessing a property named \"redact__d\": {\"rule\": \"self.redact__underscores__d > 0\"}\n\nEquality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\n\nIf `rule` makes use of the `oldSelf` variable it is implicitly a `transition rule`.\n\nBy default, the `oldSelf` variable is the same type as `self`. When `optionalOldSelf` is true, the `oldSelf` variable is a CEL optional\n variable whose value() is the same type as `self`.\nSee the documentation for the `optionalOldSelf` field for details.\n\nTransition rules by default are applied only on UPDATE requests and are skipped if an old value could not be found. You can opt a transition rule into unconditional evaluation by setting `optionalOldSelf` to true.","type":"string"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ValidationRule"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookClientConfig":{"description":"WebhookClientConfig contains the information to make a TLS connection with the webhook.","type":"object","properties":{"caBundle":{"description":"caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.","type":"string","format":"byte"},"service":{"description":"service is a reference to the service for this webhook. Either service or url must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ServiceReference"},"url":{"description":"url gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.","type":"string"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookClientConfig"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookConversion":{"description":"WebhookConversion describes how to call a conversion webhook","type":"object","required":["conversionReviewVersions"],"properties":{"clientConfig":{"description":"clientConfig is the instructions for how to call the webhook if strategy is `Webhook`.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookClientConfig"},"conversionReviewVersions":{"description":"conversionReviewVersions is an ordered list of preferred `ConversionReview` versions the Webhook expects. The API server will use the first version in the list which it supports. If none of the versions specified in this list are supported by API server, conversion will fail for the custom resource. If a persisted Webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookConversion"},"io.k8s.apimachinery.pkg.api.resource.Quantity":{"description":"Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors.\n\nThe serialization format is:\n\n``` <quantity>        ::= <signedNumber><suffix>\n\n\t(Note that <suffix> may be empty, from the \"\" case in <decimalSI>.)\n\n<digit>           ::= 0 | 1 | ... | 9 <digits>          ::= <digit> | <digit><digits> <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits> <sign>            ::= \"+\" | \"-\" <signedNumber>    ::= <number> | <sign><number> <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI> <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei\n\n\t(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)\n\n<decimalSI>       ::= m | \"\" | k | M | G | T | P | E\n\n\t(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)\n\n<decimalExponent> ::= \"e\" <signedNumber> | \"E\" <signedNumber> ```\n\nNo matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities.\n\nWhen a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized.\n\nBefore serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that:\n\n- No precision is lost - No fractional digits will be emitted - The exponent (or suffix) is as large as possible.\n\nThe sign will be omitted unless the number is negative.\n\nExamples:\n\n- 1.5 will be serialized as \"1500m\" - 1.5Gi will be serialized as \"1536Mi\"\n\nNote that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise.\n\nNon-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.)\n\nThis format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.","type":"string","title":"io.k8s.apimachinery.pkg.api.resource.Quantity"},"io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup":{"description":"APIGroup contains the name, the supported versions, and the preferred version of a group.","type":"object","required":["name","versions"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"name is the name of the group.","type":"string"},"preferredVersion":{"description":"preferredVersion is the version preferred by the API server, which probably is the storage version.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery"},"serverAddressByClientCIDRs":{"description":"a map of client CIDR to server address that is serving this group. This is to help clients reach servers in the most network-efficient way possible. Clients can use the appropriate server address as per the CIDR that they match. In case of multiple matches, clients should use the longest matching CIDR. The server returns only those CIDRs that it thinks that the client can match. For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR"},"x-kubernetes-list-type":"atomic"},"versions":{"description":"versions are the versions supported in this group.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"APIGroup","version":"v1"}],"title":"io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"},"io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupList":{"description":"APIGroupList is a list of APIGroup, to allow clients to discover the API at /apis.","type":"object","required":["groups"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"groups":{"description":"groups is a list of APIGroup.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"},"x-kubernetes-list-type":"atomic"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"APIGroupList","version":"v1"}],"title":"io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupList"},"io.k8s.apimachinery.pkg.apis.meta.v1.APIResource":{"description":"APIResource specifies the name of a resource and whether it is namespaced.","type":"object","required":["name","singularName","namespaced","kind","verbs"],"properties":{"categories":{"description":"categories is a list of the grouped resources this resource belongs to (e.g. 'all')","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"group":{"description":"group is the preferred group of the resource.  Empty implies the group of the containing resource list. For subresources, this may have a different value, for example: Scale\".","type":"string"},"kind":{"description":"kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')","type":"string"},"name":{"description":"name is the plural name of the resource.","type":"string"},"namespaced":{"description":"namespaced indicates if a resource is namespaced or not.","type":"boolean"},"shortNames":{"description":"shortNames is a list of suggested short names of the resource.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"singularName":{"description":"singularName is the singular name of the resource.  This allows clients to handle plural and singular opaquely. The singularName is more correct for reporting status on a single item and both singular and plural are allowed from the kubectl CLI interface.","type":"string"},"storageVersionHash":{"description":"The hash value of the storage version, the version this resource is converted to when written to the data store. Value must be treated as opaque by clients. Only equality comparison on the value is valid. This is an alpha feature and may change or be removed in the future. The field is populated by the apiserver only if the StorageVersionHash feature gate is enabled. This field will remain optional even if it graduates.","type":"string"},"verbs":{"description":"verbs is a list of supported kube verbs (this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy)","type":"array","items":{"type":"string"}},"version":{"description":"version is the preferred version of the resource.  Empty implies the version of the containing resource list For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)\".","type":"string"}},"title":"io.k8s.apimachinery.pkg.apis.meta.v1.APIResource"},"io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList":{"description":"APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.","type":"object","required":["groupVersion","resources"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"groupVersion":{"description":"groupVersion is the group and version this APIResourceList is for.","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"resources":{"description":"resources contains the name of the resources and if they are namespaced.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResource"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"APIResourceList","version":"v1"}],"title":"io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"},"io.k8s.apimachinery.pkg.apis.meta.v1.APIVersions":{"description":"APIVersions lists the versions that are available, to allow clients to discover the API at /api, which is the root path of the legacy v1 API.","type":"object","required":["versions","serverAddressByClientCIDRs"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"serverAddressByClientCIDRs":{"description":"a map of client CIDR to server address that is serving this group. This is to help clients reach servers in the most network-efficient way possible. Clients can use the appropriate server address as per the CIDR that they match. In case of multiple matches, clients should use the longest matching CIDR. The server returns only those CIDRs that it thinks that the client can match. For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR"},"x-kubernetes-list-type":"atomic"},"versions":{"description":"versions are the api versions that are available.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"APIVersions","version":"v1"}],"title":"io.k8s.apimachinery.pkg.apis.meta.v1.APIVersions"},"io.k8s.apimachinery.pkg.apis.meta.v1.Condition":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["type","status","lastTransitionTime","reason","message"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"message is a human readable message indicating details about the transition. This may be an empty string.","type":"string"},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.","type":"integer","format":"int64"},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.","type":"string"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string"}},"title":"io.k8s.apimachinery.pkg.apis.meta.v1.Condition"},"io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions":{"description":"DeleteOptions may be provided when deleting an API object.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"dryRun":{"description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"gracePeriodSeconds":{"description":"The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.","type":"integer","format":"int64"},"ignoreStoreReadErrorWithClusterBreakingPotential":{"description":"if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it","type":"boolean"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"orphanDependents":{"description":"Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.","type":"boolean"},"preconditions":{"description":"Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions"},"propagationPolicy":{"description":"Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.","type":"string"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"DeleteOptions","version":"v1"},{"group":"admission.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"admission.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"admissionregistration.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"admissionregistration.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"admissionregistration.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"apiextensions.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"apiextensions.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"apiregistration.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"apiregistration.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"apps","kind":"DeleteOptions","version":"v1"},{"group":"apps","kind":"DeleteOptions","version":"v1beta1"},{"group":"apps","kind":"DeleteOptions","version":"v1beta2"},{"group":"authentication.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"authentication.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"authentication.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"authorization.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"authorization.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"autoscaling","kind":"DeleteOptions","version":"v1"},{"group":"autoscaling","kind":"DeleteOptions","version":"v2"},{"group":"autoscaling","kind":"DeleteOptions","version":"v2beta1"},{"group":"autoscaling","kind":"DeleteOptions","version":"v2beta2"},{"group":"batch","kind":"DeleteOptions","version":"v1"},{"group":"batch","kind":"DeleteOptions","version":"v1beta1"},{"group":"certificates.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"certificates.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"certificates.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"coordination.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"coordination.k8s.io","kind":"DeleteOptions","version":"v1alpha2"},{"group":"coordination.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"discovery.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"discovery.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"events.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"events.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"extensions","kind":"DeleteOptions","version":"v1beta1"},{"group":"flowcontrol.apiserver.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"flowcontrol.apiserver.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"flowcontrol.apiserver.k8s.io","kind":"DeleteOptions","version":"v1beta2"},{"group":"flowcontrol.apiserver.k8s.io","kind":"DeleteOptions","version":"v1beta3"},{"group":"imagepolicy.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"internal.apiserver.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"networking.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"networking.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"node.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"node.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"node.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"policy","kind":"DeleteOptions","version":"v1"},{"group":"policy","kind":"DeleteOptions","version":"v1beta1"},{"group":"rbac.authorization.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"rbac.authorization.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"rbac.authorization.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"resource.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"resource.k8s.io","kind":"DeleteOptions","version":"v1alpha3"},{"group":"resource.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"resource.k8s.io","kind":"DeleteOptions","version":"v1beta2"},{"group":"scheduling.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"scheduling.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"scheduling.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"storage.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"storage.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"storage.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"storagemigration.k8s.io","kind":"DeleteOptions","version":"v1beta1"}],"title":"io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"},"io.k8s.apimachinery.pkg.apis.meta.v1.Duration":{"description":"Duration is a wrapper around time.Duration which supports correct marshaling to YAML and JSON. In particular, it marshals into strings, which can be used as map keys in json.","type":"string","title":"io.k8s.apimachinery.pkg.apis.meta.v1.Duration"},"io.k8s.apimachinery.pkg.apis.meta.v1.FieldSelectorRequirement":{"description":"FieldSelectorRequirement is a selector that contains values, a key, and an operator that relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the field selector key that the requirement applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. The list of operators may grow in the future.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.apimachinery.pkg.apis.meta.v1.FieldSelectorRequirement"},"io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1":{"description":"FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff","type":"object","title":"io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1"},"io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery":{"description":"GroupVersion contains the \"group/version\" and \"version\" string of a version. It is made a struct to keep extensibility.","type":"object","required":["groupVersion","version"],"properties":{"groupVersion":{"description":"groupVersion specifies the API group and version in the form \"group/version\"","type":"string"},"version":{"description":"version specifies the version in the form of \"version\". This is to save the clients the trouble of splitting the GroupVersion.","type":"string"}},"title":"io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery"},"io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement"},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic","title":"io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"title":"io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement"},"io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta":{"description":"ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.","type":"object","properties":{"continue":{"description":"continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.","type":"string"},"remainingItemCount":{"description":"remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.","type":"integer","format":"int64"},"resourceVersion":{"description":"String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"selfLink":{"description":"Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.","type":"string"}},"title":"io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"},"io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry":{"description":"ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.","type":"string"},"fieldsType":{"description":"FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"","type":"string"},"fieldsV1":{"description":"FieldsV1 holds the first JSON version format as described in the \"FieldsV1\" type.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1"},"manager":{"description":"Manager is an identifier of the workflow managing these fields.","type":"string"},"operation":{"description":"Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.","type":"string"},"subresource":{"description":"Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.","type":"string"},"time":{"description":"Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"}},"title":"io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry"},"io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime":{"description":"MicroTime is version of Time with microsecond level precision.","type":"string","format":"date-time","title":"io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"},"io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta":{"description":"ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.","type":"object","properties":{"annotations":{"description":"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations","type":"object","additionalProperties":{"type":"string"}},"creationTimestamp":{"description":"CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"deletionGracePeriodSeconds":{"description":"Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.","type":"integer","format":"int64"},"deletionTimestamp":{"description":"DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"finalizers":{"description":"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set","x-kubernetes-patch-strategy":"merge"},"generateName":{"description":"GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency","type":"string"},"generation":{"description":"A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.","type":"integer","format":"int64"},"labels":{"description":"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels","type":"object","additionalProperties":{"type":"string"}},"managedFields":{"description":"ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry"},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names","type":"string"},"namespace":{"description":"Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces","type":"string"},"ownerReferences":{"description":"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference"},"x-kubernetes-list-map-keys":["uid"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"uid","x-kubernetes-patch-strategy":"merge"},"resourceVersion":{"description":"An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"selfLink":{"description":"Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.","type":"string"},"uid":{"description":"UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}},"title":"io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference":{"description":"OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.","type":"object","required":["apiVersion","kind","name","uid"],"properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"blockOwnerDeletion":{"description":"If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.","type":"boolean"},"controller":{"description":"If true, this reference points to the managing controller.","type":"boolean"},"kind":{"description":"Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names","type":"string"},"uid":{"description":"UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}},"x-kubernetes-map-type":"atomic","title":"io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference"},"io.k8s.apimachinery.pkg.apis.meta.v1.Patch":{"description":"Patch is provided to give a concrete name and type to the Kubernetes PATCH request body.","type":"object","title":"io.k8s.apimachinery.pkg.apis.meta.v1.Patch"},"io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions":{"description":"Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.","type":"object","properties":{"resourceVersion":{"description":"Specifies the target ResourceVersion","type":"string"},"uid":{"description":"Specifies the target UID.","type":"string"}},"title":"io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions"},"io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR":{"description":"ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match.","type":"object","required":["clientCIDR","serverAddress"],"properties":{"clientCIDR":{"description":"The CIDR with which clients can match their IP to figure out the server address that they should use.","type":"string"},"serverAddress":{"description":"Address of this server, suitable for a client that matches the above CIDR. This can be a hostname, hostname:port, IP or IP:port.","type":"string"}},"title":"io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR"},"io.k8s.apimachinery.pkg.apis.meta.v1.Status":{"description":"Status is a return value for calls that don't return other objects.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"code":{"description":"Suggested HTTP return code for this status, 0 if not set.","type":"integer","format":"int32"},"details":{"description":"Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"message":{"description":"A human-readable description of the status of this operation.","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"},"reason":{"description":"A machine-readable description of why this operation is in the \"Failure\" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it.","type":"string"},"status":{"description":"Status of the operation. One of: \"Success\" or \"Failure\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"string"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Status","version":"v1"}],"title":"io.k8s.apimachinery.pkg.apis.meta.v1.Status"},"io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause":{"description":"StatusCause provides more information about an api.Status failure, including cases when multiple errors are encountered.","type":"object","properties":{"field":{"description":"The field of the resource that has caused this error, as named by its JSON serialization. May include dot and postfix notation for nested attributes. Arrays are zero-indexed.  Fields may appear more than once in an array of causes due to fields having multiple errors. Optional.\n\nExamples:\n  \"name\" - the field \"name\" on the current resource\n  \"items[0].name\" - the field \"name\" on the first array entry in \"items\"","type":"string"},"message":{"description":"A human-readable description of the cause of the error.  This field may be presented as-is to a reader.","type":"string"},"reason":{"description":"A machine-readable description of the cause of the error. If this value is empty there is no information available.","type":"string"}},"title":"io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause"},"io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails":{"description":"StatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined.","type":"object","properties":{"causes":{"description":"The Causes array includes more details associated with the StatusReason failure. Not all StatusReasons may provide detailed causes.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause"},"x-kubernetes-list-type":"atomic"},"group":{"description":"The group attribute of the resource associated with the status StatusReason.","type":"string"},"kind":{"description":"The kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"The name attribute of the resource associated with the status StatusReason (when there is a single name which can be described).","type":"string"},"retryAfterSeconds":{"description":"If specified, the time in seconds before the operation should be retried. Some errors may indicate the client must take an alternate action - for those errors this field may indicate how long to wait before taking the alternate action.","type":"integer","format":"int32"},"uid":{"description":"UID of the resource. (when there is a single resource which can be described). More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}},"title":"io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"},"io.k8s.apimachinery.pkg.apis.meta.v1.Time":{"description":"Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.","type":"string","format":"date-time","title":"io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent":{"description":"Event represents a single event to a watched resource.","type":"object","required":["type","object"],"properties":{"object":{"description":"Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Error: *Status is recommended; other types may make sense\n   depending on context.","$ref":"#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension"},"type":{"type":"string"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"WatchEvent","version":"v1"},{"group":"admission.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"admission.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"admissionregistration.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"admissionregistration.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"admissionregistration.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"apiextensions.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"apiextensions.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"apiregistration.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"apiregistration.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"apps","kind":"WatchEvent","version":"v1"},{"group":"apps","kind":"WatchEvent","version":"v1beta1"},{"group":"apps","kind":"WatchEvent","version":"v1beta2"},{"group":"authentication.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"authentication.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"authentication.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"authorization.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"authorization.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"autoscaling","kind":"WatchEvent","version":"v1"},{"group":"autoscaling","kind":"WatchEvent","version":"v2"},{"group":"autoscaling","kind":"WatchEvent","version":"v2beta1"},{"group":"autoscaling","kind":"WatchEvent","version":"v2beta2"},{"group":"batch","kind":"WatchEvent","version":"v1"},{"group":"batch","kind":"WatchEvent","version":"v1beta1"},{"group":"certificates.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"certificates.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"certificates.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"coordination.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"coordination.k8s.io","kind":"WatchEvent","version":"v1alpha2"},{"group":"coordination.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"discovery.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"discovery.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"events.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"events.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"extensions","kind":"WatchEvent","version":"v1beta1"},{"group":"flowcontrol.apiserver.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"flowcontrol.apiserver.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"flowcontrol.apiserver.k8s.io","kind":"WatchEvent","version":"v1beta2"},{"group":"flowcontrol.apiserver.k8s.io","kind":"WatchEvent","version":"v1beta3"},{"group":"imagepolicy.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"internal.apiserver.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"networking.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"networking.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"node.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"node.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"node.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"policy","kind":"WatchEvent","version":"v1"},{"group":"policy","kind":"WatchEvent","version":"v1beta1"},{"group":"rbac.authorization.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"rbac.authorization.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"rbac.authorization.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"resource.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"resource.k8s.io","kind":"WatchEvent","version":"v1alpha3"},{"group":"resource.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"resource.k8s.io","kind":"WatchEvent","version":"v1beta2"},{"group":"scheduling.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"scheduling.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"scheduling.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"storage.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"storage.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"storage.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"storagemigration.k8s.io","kind":"WatchEvent","version":"v1beta1"}],"title":"io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"},"io.k8s.apimachinery.pkg.runtime.RawExtension":{"description":"RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)","type":"object","title":"io.k8s.apimachinery.pkg.runtime.RawExtension"},"io.k8s.apimachinery.pkg.util.intstr.IntOrString":{"description":"IntOrString is a type that can hold an int32 or a string.  When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type.  This allows you to have, for example, a JSON field that can accept a name or number.","type":"string","format":"int-or-string","title":"io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"io.k8s.apimachinery.pkg.version.Info":{"description":"Info contains versioning information. how we'll want to distribute that information.","type":"object","required":["major","minor","gitVersion","gitCommit","gitTreeState","buildDate","goVersion","compiler","platform"],"properties":{"buildDate":{"type":"string"},"compiler":{"type":"string"},"emulationMajor":{"description":"EmulationMajor is the major version of the emulation version","type":"string"},"emulationMinor":{"description":"EmulationMinor is the minor version of the emulation version","type":"string"},"gitCommit":{"type":"string"},"gitTreeState":{"type":"string"},"gitVersion":{"type":"string"},"goVersion":{"type":"string"},"major":{"description":"Major is the major version of the binary version","type":"string"},"minCompatibilityMajor":{"description":"MinCompatibilityMajor is the major version of the minimum compatibility version","type":"string"},"minCompatibilityMinor":{"description":"MinCompatibilityMinor is the minor version of the minimum compatibility version","type":"string"},"minor":{"description":"Minor is the minor version of the binary version","type":"string"},"platform":{"type":"string"}},"title":"io.k8s.apimachinery.pkg.version.Info"},"io.k8s.autoscaling.v1.VerticalPodAutoscaler":{"description":"VerticalPodAutoscaler is the configuration for a vertical pod autoscaler, which automatically manages pod resources based on historical and real time resource utilization.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the behavior of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.","type":"object","required":["targetRef"],"properties":{"recommenders":{"description":"Recommender responsible for generating recommendation for this object. List should be empty (then the default recommender will generate the recommendation) or contain exactly one recommender.","type":"array","items":{"description":"VerticalPodAutoscalerRecommenderSelector points to a specific Vertical Pod Autoscaler recommender. In the future it might pass parameters to the recommender.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the recommender responsible for generating recommendation for this object.","type":"string"}}}},"resourcePolicy":{"description":"Controls how the autoscaler computes recommended resources. The resource policy may be used to set constraints on the recommendations for individual containers. If any individual containers need to be excluded from getting the VPA recommendations, then it must be disabled explicitly by setting mode to \"Off\" under containerPolicies. If not specified, the autoscaler computes recommended resources for all containers in the pod, without additional constraints.","type":"object","properties":{"containerPolicies":{"description":"Per-container resource policies.","type":"array","items":{"description":"ContainerResourcePolicy controls how autoscaler computes the recommended resources for a specific container.","type":"object","properties":{"containerName":{"description":"Name of the container or DefaultContainerResourcePolicy, in which case the policy is used by the containers that don't have their own policy specified.","type":"string"},"controlledResources":{"description":"Specifies the type of recommendations that will be computed (and possibly applied) by VPA. If not specified, the default of [ResourceCPU, ResourceMemory] will be used.","type":"array","items":{"description":"ResourceName is the name identifying various resources in a ResourceList.","type":"string"}},"controlledValues":{"description":"Specifies which resource values should be controlled. The default is \"RequestsAndLimits\".","type":"string","enum":["RequestsAndLimits","RequestsOnly"]},"maxAllowed":{"description":"Specifies the maximum amount of resources that will be recommended for the container. The default is no maximum.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"minAllowed":{"description":"Specifies the minimal amount of resources that will be recommended for the container. The default is no minimum.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"mode":{"description":"Whether autoscaler is enabled for the container. The default is \"Auto\".","type":"string","enum":["Auto","Off"]}}}}}},"targetRef":{"description":"TargetRef points to the controller managing the set of pods for the autoscaler to control - e.g. Deployment, StatefulSet. VerticalPodAutoscaler can be targeted at controller implementing scale subresource (the pod set is retrieved from the controller's ScaleStatus) or some well known controllers (e.g. for DaemonSet the pod set is read from the controller's spec). If VerticalPodAutoscaler cannot use specified target it will report ConfigUnsupported condition. Note that VerticalPodAutoscaler does not require full implementation of scale subresource - it will not use it to modify the replica count. The only thing retrieved is a label selector matching pods grouped by the target resource.","type":"object","required":["kind","name"],"properties":{"apiVersion":{"description":"API version of the referent","type":"string"},"kind":{"description":"Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"updatePolicy":{"description":"Describes the rules on how changes are applied to the pods. If not specified, all fields in the `PodUpdatePolicy` are set to their default values.","type":"object","properties":{"evictionRequirements":{"description":"EvictionRequirements is a list of EvictionRequirements that need to evaluate to true in order for a Pod to be evicted. If more than one EvictionRequirement is specified, all of them need to be fulfilled to allow eviction.","type":"array","items":{"description":"EvictionRequirement defines a single condition which needs to be true in order to evict a Pod","type":"object","required":["changeRequirement","resources"],"properties":{"changeRequirement":{"description":"EvictionChangeRequirement refers to the relationship between the new target recommendation for a Pod and its current requests, what kind of change is necessary for the Pod to be evicted","type":"string","enum":["TargetHigherThanRequests","TargetLowerThanRequests"]},"resources":{"description":"Resources is a list of one or more resources that the condition applies to. If more than one resource is given, the EvictionRequirement is fulfilled if at least one resource meets `changeRequirement`.","type":"array","items":{"description":"ResourceName is the name identifying various resources in a ResourceList.","type":"string"}}}}},"minReplicas":{"description":"Minimal number of replicas which need to be alive for Updater to attempt pod eviction (pending other checks like PDB). Only positive values are allowed. Overrides global '--min-replicas' flag.","type":"integer","format":"int32"},"updateMode":{"description":"Controls when autoscaler applies changes to the pod resources. The default is 'Auto'.","type":"string","enum":["Off","Initial","Recreate","Auto"]}}}}},"status":{"description":"Current information about the autoscaler.","type":"object","properties":{"conditions":{"description":"Conditions is the set of conditions required for this autoscaler to scale its target, and indicates whether or not those conditions are met.","type":"array","items":{"description":"VerticalPodAutoscalerCondition describes the state of a VerticalPodAutoscaler at a certain point.","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another","type":"string","format":"date-time"},"message":{"description":"message is a human-readable explanation containing details about the transition","type":"string"},"reason":{"description":"reason is the reason for the condition's last transition.","type":"string"},"status":{"description":"status is the status of the condition (True, False, Unknown)","type":"string"},"type":{"description":"type describes the current condition","type":"string"}}}},"recommendation":{"description":"The most recently computed amount of resources recommended by the autoscaler for the controlled pods.","type":"object","properties":{"containerRecommendations":{"description":"Resources recommended by the autoscaler for each container.","type":"array","items":{"description":"RecommendedContainerResources is the recommendation of resources computed by autoscaler for a specific container. Respects the container resource policy if present in the spec. In particular the recommendation is not produced for containers with `ContainerScalingMode` set to 'Off'.","type":"object","required":["target"],"properties":{"containerName":{"description":"Name of the container.","type":"string"},"lowerBound":{"description":"Minimum recommended amount of resources. Observes ContainerResourcePolicy. This amount is not guaranteed to be sufficient for the application to operate in a stable way, however running with less resources is likely to have significant impact on performance/availability.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"target":{"description":"Recommended amount of resources. Observes ContainerResourcePolicy.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"uncappedTarget":{"description":"The most recent recommended resources target computed by the autoscaler for the controlled pods, based only on actual resource usage, not taking into account the ContainerResourcePolicy. May differ from the Recommendation if the actual resource usage causes the target to violate the ContainerResourcePolicy (lower than MinAllowed or higher that MaxAllowed). Used only as status indication, will not affect actual resource assignment.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"upperBound":{"description":"Maximum recommended amount of resources. Observes ContainerResourcePolicy. Any resources allocated beyond this value are likely wasted. This value may be larger than the maximum amount of application is actually capable of consuming.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}}}}}}}},"x-kubernetes-group-version-kind":[{"group":"autoscaling.k8s.io","kind":"VerticalPodAutoscaler","version":"v1"}],"title":"io.k8s.autoscaling.v1.VerticalPodAutoscaler"},"io.k8s.autoscaling.v1.VerticalPodAutoscalerCheckpoint":{"description":"VerticalPodAutoscalerCheckpoint is the checkpoint of the internal state of VPA that is used for recovery after recommender's restart.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the checkpoint. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.","type":"object","properties":{"containerName":{"description":"Name of the checkpointed container.","type":"string"},"vpaObjectName":{"description":"Name of the VPA object that stored VerticalPodAutoscalerCheckpoint object.","type":"string"}}},"status":{"description":"Data of the checkpoint.","type":"object","properties":{"cpuHistogram":{"description":"Checkpoint of histogram for consumption of CPU.","type":"object","properties":{"bucketWeights":{"description":"Map from bucket index to bucket weight.","x-kubernetes-preserve-unknown-fields":true},"referenceTimestamp":{"description":"Reference timestamp for samples collected within this histogram.","format":"date-time"},"totalWeight":{"description":"Sum of samples to be used as denominator for weights from BucketWeights.","type":"number"}}},"firstSampleStart":{"description":"Timestamp of the fist sample from the histograms.","format":"date-time"},"lastSampleStart":{"description":"Timestamp of the last sample from the histograms.","format":"date-time"},"lastUpdateTime":{"description":"The time when the status was last refreshed.","format":"date-time"},"memoryHistogram":{"description":"Checkpoint of histogram for consumption of memory.","type":"object","properties":{"bucketWeights":{"description":"Map from bucket index to bucket weight.","x-kubernetes-preserve-unknown-fields":true},"referenceTimestamp":{"description":"Reference timestamp for samples collected within this histogram.","format":"date-time"},"totalWeight":{"description":"Sum of samples to be used as denominator for weights from BucketWeights.","type":"number"}}},"totalSamplesCount":{"description":"Total number of samples in the histograms.","type":"integer"},"version":{"description":"Version of the format of the stored data.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"autoscaling.k8s.io","kind":"VerticalPodAutoscalerCheckpoint","version":"v1"}],"title":"io.k8s.autoscaling.v1.VerticalPodAutoscalerCheckpoint"},"io.k8s.autoscaling.v1.VerticalPodAutoscalerCheckpointList":{"description":"VerticalPodAutoscalerCheckpointList is a list of VerticalPodAutoscalerCheckpoint","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of verticalpodautoscalercheckpoints. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.k8s.autoscaling.v1.VerticalPodAutoscalerCheckpoint"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"autoscaling.k8s.io","kind":"VerticalPodAutoscalerCheckpointList","version":"v1"}],"title":"io.k8s.autoscaling.v1.VerticalPodAutoscalerCheckpointList"},"io.k8s.autoscaling.v1.VerticalPodAutoscalerList":{"description":"VerticalPodAutoscalerList is a list of VerticalPodAutoscaler","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of verticalpodautoscalers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.k8s.autoscaling.v1.VerticalPodAutoscaler"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"autoscaling.k8s.io","kind":"VerticalPodAutoscalerList","version":"v1"}],"title":"io.k8s.autoscaling.v1.VerticalPodAutoscalerList"},"io.k8s.autoscaling.v1beta2.VerticalPodAutoscaler":{"description":"VerticalPodAutoscaler is the configuration for a vertical pod autoscaler, which automatically manages pod resources based on historical and real time resource utilization.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the behavior of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.","type":"object","required":["targetRef"],"properties":{"resourcePolicy":{"description":"Controls how the autoscaler computes recommended resources. The resource policy may be used to set constraints on the recommendations for individual containers. If not specified, the autoscaler computes recommended resources for all containers in the pod, without additional constraints.","type":"object","properties":{"containerPolicies":{"description":"Per-container resource policies.","type":"array","items":{"description":"ContainerResourcePolicy controls how autoscaler computes the recommended resources for a specific container.","type":"object","properties":{"containerName":{"description":"Name of the container or DefaultContainerResourcePolicy, in which case the policy is used by the containers that don't have their own policy specified.","type":"string"},"maxAllowed":{"description":"Specifies the maximum amount of resources that will be recommended for the container. The default is no maximum.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"minAllowed":{"description":"Specifies the minimal amount of resources that will be recommended for the container. The default is no minimum.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"mode":{"description":"Whether autoscaler is enabled for the container. The default is \"Auto\".","type":"string","enum":["Auto","Off"]}}}}}},"targetRef":{"description":"TargetRef points to the controller managing the set of pods for the autoscaler to control - e.g. Deployment, StatefulSet. VerticalPodAutoscaler can be targeted at controller implementing scale subresource (the pod set is retrieved from the controller's ScaleStatus) or some well known controllers (e.g. for DaemonSet the pod set is read from the controller's spec). If VerticalPodAutoscaler cannot use specified target it will report ConfigUnsupported condition. Note that VerticalPodAutoscaler does not require full implementation of scale subresource - it will not use it to modify the replica count. The only thing retrieved is a label selector matching pods grouped by the target resource.","type":"object","required":["kind","name"],"properties":{"apiVersion":{"description":"API version of the referent","type":"string"},"kind":{"description":"Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"updatePolicy":{"description":"Describes the rules on how changes are applied to the pods. If not specified, all fields in the `PodUpdatePolicy` are set to their default values.","type":"object","properties":{"updateMode":{"description":"Controls when autoscaler applies changes to the pod resources. The default is 'Auto'.","type":"string","enum":["Off","Initial","Recreate","Auto"]}}}}},"status":{"description":"Current information about the autoscaler.","type":"object","properties":{"conditions":{"description":"Conditions is the set of conditions required for this autoscaler to scale its target, and indicates whether or not those conditions are met.","type":"array","items":{"description":"VerticalPodAutoscalerCondition describes the state of a VerticalPodAutoscaler at a certain point.","type":"object","required":["status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another","type":"string","format":"date-time"},"message":{"description":"message is a human-readable explanation containing details about the transition","type":"string"},"reason":{"description":"reason is the reason for the condition's last transition.","type":"string"},"status":{"description":"status is the status of the condition (True, False, Unknown)","type":"string"},"type":{"description":"type describes the current condition","type":"string"}}}},"recommendation":{"description":"The most recently computed amount of resources recommended by the autoscaler for the controlled pods.","type":"object","properties":{"containerRecommendations":{"description":"Resources recommended by the autoscaler for each container.","type":"array","items":{"description":"RecommendedContainerResources is the recommendation of resources computed by autoscaler for a specific container. Respects the container resource policy if present in the spec. In particular the recommendation is not produced for containers with `ContainerScalingMode` set to 'Off'.","type":"object","required":["target"],"properties":{"containerName":{"description":"Name of the container.","type":"string"},"lowerBound":{"description":"Minimum recommended amount of resources. Observes ContainerResourcePolicy. This amount is not guaranteed to be sufficient for the application to operate in a stable way, however running with less resources is likely to have significant impact on performance/availability.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"target":{"description":"Recommended amount of resources. Observes ContainerResourcePolicy.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"uncappedTarget":{"description":"The most recent recommended resources target computed by the autoscaler for the controlled pods, based only on actual resource usage, not taking into account the ContainerResourcePolicy. May differ from the Recommendation if the actual resource usage causes the target to violate the ContainerResourcePolicy (lower than MinAllowed or higher that MaxAllowed). Used only as status indication, will not affect actual resource assignment.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"upperBound":{"description":"Maximum recommended amount of resources. Observes ContainerResourcePolicy. Any resources allocated beyond this value are likely wasted. This value may be larger than the maximum amount of application is actually capable of consuming.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}}}}}}}},"x-kubernetes-group-version-kind":[{"group":"autoscaling.k8s.io","kind":"VerticalPodAutoscaler","version":"v1beta2"}],"title":"io.k8s.autoscaling.v1beta2.VerticalPodAutoscaler"},"io.k8s.autoscaling.v1beta2.VerticalPodAutoscalerCheckpoint":{"description":"VerticalPodAutoscalerCheckpoint is the checkpoint of the internal state of VPA that is used for recovery after recommender's restart.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the checkpoint. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.","type":"object","properties":{"containerName":{"description":"Name of the checkpointed container.","type":"string"},"vpaObjectName":{"description":"Name of the VPA object that stored VerticalPodAutoscalerCheckpoint object.","type":"string"}}},"status":{"description":"Data of the checkpoint.","type":"object","properties":{"cpuHistogram":{"description":"Checkpoint of histogram for consumption of CPU.","type":"object","properties":{"bucketWeights":{"description":"Map from bucket index to bucket weight.","x-kubernetes-preserve-unknown-fields":true},"referenceTimestamp":{"description":"Reference timestamp for samples collected within this histogram.","format":"date-time"},"totalWeight":{"description":"Sum of samples to be used as denominator for weights from BucketWeights.","type":"number"}}},"firstSampleStart":{"description":"Timestamp of the fist sample from the histograms.","format":"date-time"},"lastSampleStart":{"description":"Timestamp of the last sample from the histograms.","format":"date-time"},"lastUpdateTime":{"description":"The time when the status was last refreshed.","format":"date-time"},"memoryHistogram":{"description":"Checkpoint of histogram for consumption of memory.","type":"object","properties":{"bucketWeights":{"description":"Map from bucket index to bucket weight.","x-kubernetes-preserve-unknown-fields":true},"referenceTimestamp":{"description":"Reference timestamp for samples collected within this histogram.","format":"date-time"},"totalWeight":{"description":"Sum of samples to be used as denominator for weights from BucketWeights.","type":"number"}}},"totalSamplesCount":{"description":"Total number of samples in the histograms.","type":"integer"},"version":{"description":"Version of the format of the stored data.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"autoscaling.k8s.io","kind":"VerticalPodAutoscalerCheckpoint","version":"v1beta2"}],"title":"io.k8s.autoscaling.v1beta2.VerticalPodAutoscalerCheckpoint"},"io.k8s.autoscaling.v1beta2.VerticalPodAutoscalerCheckpointList":{"description":"VerticalPodAutoscalerCheckpointList is a list of VerticalPodAutoscalerCheckpoint","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of verticalpodautoscalercheckpoints. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.k8s.autoscaling.v1beta2.VerticalPodAutoscalerCheckpoint"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"autoscaling.k8s.io","kind":"VerticalPodAutoscalerCheckpointList","version":"v1beta2"}],"title":"io.k8s.autoscaling.v1beta2.VerticalPodAutoscalerCheckpointList"},"io.k8s.autoscaling.v1beta2.VerticalPodAutoscalerList":{"description":"VerticalPodAutoscalerList is a list of VerticalPodAutoscaler","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of verticalpodautoscalers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.k8s.autoscaling.v1beta2.VerticalPodAutoscaler"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"autoscaling.k8s.io","kind":"VerticalPodAutoscalerList","version":"v1beta2"}],"title":"io.k8s.autoscaling.v1beta2.VerticalPodAutoscalerList"},"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService":{"description":"APIService represents a server for a particular GroupVersion. Name must be \"version.group\".","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec contains information for locating and communicating with a server","$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceSpec"},"status":{"description":"Status contains derived information about an API server","$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceStatus"}},"x-kubernetes-group-version-kind":[{"group":"apiregistration.k8s.io","kind":"APIService","version":"v1"}],"title":"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"},"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceCondition":{"description":"APIServiceCondition describes the state of an APIService at a particular point","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"Human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"Unique, one-word, CamelCase reason for the condition's last transition.","type":"string"},"status":{"description":"Status is the status of the condition. Can be True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the condition.","type":"string"}},"title":"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceCondition"},"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceList":{"description":"APIServiceList is a list of APIService objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of APIService","type":"array","items":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"apiregistration.k8s.io","kind":"APIServiceList","version":"v1"}],"title":"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceList"},"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceSpec":{"description":"APIServiceSpec contains information for locating and communicating with a server. Only https is supported, though you are able to disable certificate verification.","type":"object","required":["groupPriorityMinimum","versionPriority"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.","type":"string","format":"byte","x-kubernetes-list-type":"atomic"},"group":{"description":"Group is the API group name this server hosts","type":"string"},"groupPriorityMinimum":{"description":"GroupPriorityMinimum is the priority this group should have at least. Higher priority means that the group is preferred by clients over lower priority ones. Note that other versions of this group might specify even higher GroupPriorityMinimum values such that the whole group gets a higher priority. The primary sort is based on GroupPriorityMinimum, ordered highest number to lowest (20 before 10). The secondary sort is based on the alphabetical comparison of the name of the object.  (v1.bar before v1.foo) We'd recommend something like: *.k8s.io (except extensions) at 18000 and PaaSes (OpenShift, Deis) are recommended to be in the 2000s","type":"integer","format":"int32"},"insecureSkipTLSVerify":{"description":"InsecureSkipTLSVerify disables TLS certificate verification when communicating with this server. This is strongly discouraged.  You should use the CABundle instead.","type":"boolean"},"service":{"description":"Service is a reference to the service for this API server.  It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled.","$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.ServiceReference"},"version":{"description":"Version is the API version this server hosts.  For example, \"v1\"","type":"string"},"versionPriority":{"description":"VersionPriority controls the ordering of this API version inside of its group.  Must be greater than zero. The primary sort is based on VersionPriority, ordered highest to lowest (20 before 10). Since it's inside of a group, the number can be small, probably in the 10s. In case of equal version priorities, the version string will be used to compute the order inside a group. If the version string is \"kube-like\", it will sort above non \"kube-like\" version strings, which are ordered lexicographically. \"Kube-like\" versions start with a \"v\", then are followed by a number (the major version), then optionally the string \"alpha\" or \"beta\" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.","type":"integer","format":"int32"}},"title":"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceSpec"},"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceStatus":{"description":"APIServiceStatus contains derived information about an API server","type":"object","properties":{"conditions":{"description":"Current service state of apiService.","type":"array","items":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"}},"title":"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceStatus"},"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.ServiceReference":{"description":"ServiceReference holds a reference to Service.legacy.k8s.io","type":"object","properties":{"name":{"description":"Name is the name of the service","type":"string"},"namespace":{"description":"Namespace is the namespace of the service","type":"string"},"port":{"description":"If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).","type":"integer","format":"int32"}},"title":"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.ServiceReference"},"io.k8s.metrics.pkg.apis.metrics.v1beta1.ContainerMetrics":{"description":"ContainerMetrics sets resource usage metrics of a container.","type":"object","required":["name","usage"],"properties":{"name":{"description":"Container name corresponding to the one from pod.spec.containers.","type":"string"},"usage":{"description":"The memory usage is the memory working set.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}},"title":"io.k8s.metrics.pkg.apis.metrics.v1beta1.ContainerMetrics"},"io.k8s.metrics.pkg.apis.metrics.v1beta1.NodeMetrics":{"description":"NodeMetrics sets resource usage metrics of a node.","type":"object","required":["timestamp","window","usage"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"timestamp":{"description":"The following fields define time interval from which metrics were collected from the interval [Timestamp-Window, Timestamp].","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"usage":{"description":"The memory usage is the memory working set.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"window":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Duration"}},"x-kubernetes-group-version-kind":[{"group":"metrics.k8s.io","kind":"NodeMetrics","version":"v1beta1"}],"title":"io.k8s.metrics.pkg.apis.metrics.v1beta1.NodeMetrics"},"io.k8s.metrics.pkg.apis.metrics.v1beta1.NodeMetricsList":{"description":"NodeMetricsList is a list of NodeMetrics.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of node metrics.","type":"array","items":{"$ref":"#/definitions/io.k8s.metrics.pkg.apis.metrics.v1beta1.NodeMetrics"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"metrics.k8s.io","kind":"NodeMetricsList","version":"v1beta1"}],"title":"io.k8s.metrics.pkg.apis.metrics.v1beta1.NodeMetricsList"},"io.k8s.metrics.pkg.apis.metrics.v1beta1.PodMetrics":{"description":"PodMetrics sets resource usage metrics of a pod.","type":"object","required":["timestamp","window","containers"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"containers":{"description":"Metrics for all containers are collected within the same time window.","type":"array","items":{"$ref":"#/definitions/io.k8s.metrics.pkg.apis.metrics.v1beta1.ContainerMetrics"},"x-kubernetes-list-type":"atomic"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"timestamp":{"description":"The following fields define time interval from which metrics were collected from the interval [Timestamp-Window, Timestamp].","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"window":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Duration"}},"x-kubernetes-group-version-kind":[{"group":"metrics.k8s.io","kind":"PodMetrics","version":"v1beta1"}],"title":"io.k8s.metrics.pkg.apis.metrics.v1beta1.PodMetrics"},"io.k8s.metrics.pkg.apis.metrics.v1beta1.PodMetricsList":{"description":"PodMetricsList is a list of PodMetrics.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of pod metrics.","type":"array","items":{"$ref":"#/definitions/io.k8s.metrics.pkg.apis.metrics.v1beta1.PodMetrics"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"metrics.k8s.io","kind":"PodMetricsList","version":"v1beta1"}],"title":"io.k8s.metrics.pkg.apis.metrics.v1beta1.PodMetricsList"},"io.kyverno.policies.v1.DeletingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DeletingPolicySpec is the specification of the desired behavior of the DeletingPolicy.","type":"object","required":["schedule"],"properties":{"conditions":{"description":"Conditions is a list of conditions that must be met for a resource to be deleted.\nConditions filter resources that have already been matched by the match constraints,\nnamespaceSelector, and objectSelector. An empty list of conditions matches all resources.\nThere are a maximum of 64 conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY condition evaluates to FALSE, the policy is skipped.\n  2. If ALL conditions evaluate to TRUE, the policy is executed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"deletionPropagationPolicy":{"description":"DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).","type":"string","enum":["Foreground","Background","Orphan"]},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"schedule":{"description":"The schedule in Cron format\nRequired.","type":"string"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"lastExecutionTime":{"type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"DeletingPolicy","version":"v1"}],"title":"io.kyverno.policies.v1.DeletingPolicy"},"io.kyverno.policies.v1.DeletingPolicyList":{"description":"DeletingPolicyList is a list of DeletingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of deletingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1.DeletingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"DeletingPolicyList","version":"v1"}],"title":"io.kyverno.policies.v1.DeletingPolicyList"},"io.kyverno.policies.v1.GeneratingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"GeneratingPolicySpec is the specification of the desired behavior of the GeneratingPolicy.","type":"object","required":["generate"],"properties":{"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"generateExisting":{"description":"GenerateExisting defines the configuration for generating resources for existing triggeres.","type":"object","properties":{"enabled":{"description":"Enabled controls whether to trigger the policy for existing resources\nIf is set to \"true\" the policy will be triggered and applied to existing matched resources.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete defines the configuration for orphaning downstream resources on policy delete.","type":"object","properties":{"enabled":{"description":"Enabled controls whether generated resources should be deleted when the policy that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"synchronize":{"description":"Synchronization defines the configuration for the synchronization of generated resources.","type":"object","properties":{"enabled":{"description":"Enabled controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"generate":{"description":"Generation defines a set of CEL expressions that will be evaluated to generate resources.\nRequired.","type":"array","minItems":1,"items":{"description":"Generation defines the configuration for the generation of resources.","type":"object","properties":{"expression":{"description":"Expression is a CEL expression that takes a list of resources to be generated.","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources will trigger this policy.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"GeneratingPolicy","version":"v1"}],"title":"io.kyverno.policies.v1.GeneratingPolicy"},"io.kyverno.policies.v1.GeneratingPolicyList":{"description":"GeneratingPolicyList is a list of GeneratingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of generatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1.GeneratingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"GeneratingPolicyList","version":"v1"}],"title":"io.kyverno.policies.v1.GeneratingPolicyList"},"io.kyverno.policies.v1.ImageValidatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.","type":"object","required":["attestors","validations"],"properties":{"attestations":{"description":"Attestations provides a list of image metadata to verify","type":"array","items":{"description":"Attestation defines the identification details of the  metadata that has to be verified","type":"object","required":["name"],"properties":{"intoto":{"description":"InToto defines the details of attestation attached using intoto format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation contained within the statement.","type":"string"}}},"name":{"description":"Name is the name for this attestation. It is used to refer to the attestation in verification","type":"string"},"referrer":{"description":"Referrer defines the details of attestation attached using OCI 1.1 format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation attached to the image.","type":"string"}}}}}},"attestors":{"description":"Attestors provides a list of trusted authorities.","type":"array","items":{"description":"Attestor is an identity that confirms or verifies the authenticity of an image or an attestation","type":"object","required":["name"],"properties":{"cosign":{"description":"Cosign defines attestor configuration for Cosign based signatures","type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"certificate":{"description":"Certificate defines the configuration for local signature verification","type":"object","properties":{"cert":{"description":"Certificate is the to the public certificate for local signature verification.","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"certChain":{"description":"CertificateChain is the list of CA certificates in PEM format which will be needed\nwhen building the certificate chain for the signing certificate. Must start with the\nparent intermediate CA certificate of the signing certificate and end with the root certificate","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}},"ctlog":{"description":"CTLog sets the configuration to verify the authority against a Rekor instance.","type":"object","properties":{"ctLogPubKey":{"description":"CTLogPubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"insecureIgnoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"insecureIgnoreTlog":{"description":"InsecureIgnoreTlog skips transparency log verification.","type":"boolean"},"rekorPubKey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"},"url":{"description":"URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)","type":"string"}}},"key":{"description":"Key defines the type of key to validate the image.","type":"object","properties":{"data":{"description":"Data contains the inline public key","type":"string"},"expression":{"description":"Expression is a Expression expression that returns the public key.","type":"string"},"hashAlgorithm":{"description":"HashAlgorithm specifues signature algorithm for public keys. Supported values are\nsha224, sha256, sha384 and sha512. Defaults to sha256.","type":"string"},"kms":{"description":"KMS contains the KMS url of the public key\nSupported formats differ based on the KMS system used.","type":"string"}}},"keyless":{"description":"Keyless sets the configuration to verify the authority against a Fulcio instance.","type":"object","required":["identities"],"properties":{"identities":{"description":"Identities sets a list of identities.","type":"array","items":{"description":"Identity may contain the issuer and/or the subject found in the transparency\nlog.\nIssuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\napply a regexp for matching.","type":"object","properties":{"issuer":{"description":"Issuer defines the issuer for this identity.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp specifies a regular expression to match the issuer for this identity.","type":"string"},"subject":{"description":"Subject defines the subject for this identity.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp specifies a regular expression to match the subject for this identity.","type":"string"}}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"}}},"source":{"description":"Sources sets the configuration to specify the sources from where to consume the signature and attestations.","type":"object","properties":{"PullSecrets":{"description":"SignaturePullSecrets is an optional list of references to secrets in the\nsame namespace as the deploying resource for pulling any of the signatures\nused by this Source.","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"repository":{"description":"Repository defines the location from where to pull the signature / attestations.","type":"string"},"tagPrefix":{"description":"TagPrefix is an optional prefix that signature and attestations have.\nThis is the 'tag based discovery' and in the future once references are\nfully supported that should likely be the preferred way to handle these.","type":"string"}}},"tuf":{"description":"TUF defines the configuration to fetch sigstore root","type":"object","properties":{"mirror":{"description":"Mirror is the base URL of Sigstore TUF repository","type":"string"},"root":{"description":"Root defines the path or data of the trusted root","type":"object","properties":{"data":{"description":"Data is the base64 encoded TUF root","type":"string"},"path":{"description":"Path is the URL or File location of the TUF root","type":"string"}}}}}}},"name":{"description":"Name is the name for this attestor. It is used to refer to the attestor in verification","type":"string"},"notary":{"description":"Notary defines attestor configuration for Notary based signatures","type":"object","properties":{"certs":{"description":"Certs define the cert chain for Notary signature verification","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"tsaCerts":{"description":"TSACerts define the cert chain for verifying timestamps of notary signature","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}}}}},"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"credentials":{"description":"Credentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"CredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"FailurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.","type":"string","enum":["Ignore","Fail"]},"images":{"description":"ImageExtractors is a list of CEL expression to extract images from the resource","type":"array","items":{"type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression defines CEL expression to extract images from the resource.","type":"string"},"name":{"description":"Name is the name for this imageList. It is used to refer to the images in verification block as images.<name>","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"matchImageReferences":{"description":"MatchImageReferences is a list of Glob and CELExpressions to match images.\nAny image that matches one of the rules is considered for validation\nAny image that does not match a rule is skipped, even when they are passed as arguments to\nimage verification functions","type":"array","items":{"description":"MatchImageReference defines a Glob or a CEL expression for matching images","type":"object","properties":{"expression":{"description":"Expression defines CEL Expressions for matching images","type":"string"},"glob":{"description":"Glob defines a globbing pattern for matching images","type":"string"}}}},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validationConfigurations":{"description":"ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.","type":"object","properties":{"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"required":{"description":"Required validates that images are verified, i.e., have passed a signature or attestation check.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}},"validations":{"description":"Validations contain CEL expressions which is used to apply the image validation checks.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.","type":"object","required":["attestors","validations"],"properties":{"attestations":{"description":"Attestations provides a list of image metadata to verify","type":"array","items":{"description":"Attestation defines the identification details of the  metadata that has to be verified","type":"object","required":["name"],"properties":{"intoto":{"description":"InToto defines the details of attestation attached using intoto format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation contained within the statement.","type":"string"}}},"name":{"description":"Name is the name for this attestation. It is used to refer to the attestation in verification","type":"string"},"referrer":{"description":"Referrer defines the details of attestation attached using OCI 1.1 format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation attached to the image.","type":"string"}}}}}},"attestors":{"description":"Attestors provides a list of trusted authorities.","type":"array","items":{"description":"Attestor is an identity that confirms or verifies the authenticity of an image or an attestation","type":"object","required":["name"],"properties":{"cosign":{"description":"Cosign defines attestor configuration for Cosign based signatures","type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"certificate":{"description":"Certificate defines the configuration for local signature verification","type":"object","properties":{"cert":{"description":"Certificate is the to the public certificate for local signature verification.","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"certChain":{"description":"CertificateChain is the list of CA certificates in PEM format which will be needed\nwhen building the certificate chain for the signing certificate. Must start with the\nparent intermediate CA certificate of the signing certificate and end with the root certificate","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}},"ctlog":{"description":"CTLog sets the configuration to verify the authority against a Rekor instance.","type":"object","properties":{"ctLogPubKey":{"description":"CTLogPubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"insecureIgnoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"insecureIgnoreTlog":{"description":"InsecureIgnoreTlog skips transparency log verification.","type":"boolean"},"rekorPubKey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"},"url":{"description":"URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)","type":"string"}}},"key":{"description":"Key defines the type of key to validate the image.","type":"object","properties":{"data":{"description":"Data contains the inline public key","type":"string"},"expression":{"description":"Expression is a Expression expression that returns the public key.","type":"string"},"hashAlgorithm":{"description":"HashAlgorithm specifues signature algorithm for public keys. Supported values are\nsha224, sha256, sha384 and sha512. Defaults to sha256.","type":"string"},"kms":{"description":"KMS contains the KMS url of the public key\nSupported formats differ based on the KMS system used.","type":"string"}}},"keyless":{"description":"Keyless sets the configuration to verify the authority against a Fulcio instance.","type":"object","required":["identities"],"properties":{"identities":{"description":"Identities sets a list of identities.","type":"array","items":{"description":"Identity may contain the issuer and/or the subject found in the transparency\nlog.\nIssuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\napply a regexp for matching.","type":"object","properties":{"issuer":{"description":"Issuer defines the issuer for this identity.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp specifies a regular expression to match the issuer for this identity.","type":"string"},"subject":{"description":"Subject defines the subject for this identity.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp specifies a regular expression to match the subject for this identity.","type":"string"}}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"}}},"source":{"description":"Sources sets the configuration to specify the sources from where to consume the signature and attestations.","type":"object","properties":{"PullSecrets":{"description":"SignaturePullSecrets is an optional list of references to secrets in the\nsame namespace as the deploying resource for pulling any of the signatures\nused by this Source.","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"repository":{"description":"Repository defines the location from where to pull the signature / attestations.","type":"string"},"tagPrefix":{"description":"TagPrefix is an optional prefix that signature and attestations have.\nThis is the 'tag based discovery' and in the future once references are\nfully supported that should likely be the preferred way to handle these.","type":"string"}}},"tuf":{"description":"TUF defines the configuration to fetch sigstore root","type":"object","properties":{"mirror":{"description":"Mirror is the base URL of Sigstore TUF repository","type":"string"},"root":{"description":"Root defines the path or data of the trusted root","type":"object","properties":{"data":{"description":"Data is the base64 encoded TUF root","type":"string"},"path":{"description":"Path is the URL or File location of the TUF root","type":"string"}}}}}}},"name":{"description":"Name is the name for this attestor. It is used to refer to the attestor in verification","type":"string"},"notary":{"description":"Notary defines attestor configuration for Notary based signatures","type":"object","properties":{"certs":{"description":"Certs define the cert chain for Notary signature verification","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"tsaCerts":{"description":"TSACerts define the cert chain for verifying timestamps of notary signature","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}}}}},"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"credentials":{"description":"Credentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"CredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"FailurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.","type":"string","enum":["Ignore","Fail"]},"images":{"description":"ImageExtractors is a list of CEL expression to extract images from the resource","type":"array","items":{"type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression defines CEL expression to extract images from the resource.","type":"string"},"name":{"description":"Name is the name for this imageList. It is used to refer to the images in verification block as images.<name>","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"matchImageReferences":{"description":"MatchImageReferences is a list of Glob and CELExpressions to match images.\nAny image that matches one of the rules is considered for validation\nAny image that does not match a rule is skipped, even when they are passed as arguments to\nimage verification functions","type":"array","items":{"description":"MatchImageReference defines a Glob or a CEL expression for matching images","type":"object","properties":{"expression":{"description":"Expression defines CEL Expressions for matching images","type":"string"},"glob":{"description":"Glob defines a globbing pattern for matching images","type":"string"}}}},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validationConfigurations":{"description":"ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.","type":"object","properties":{"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"required":{"description":"Required validates that images are verified, i.e., have passed a signature or attestation check.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}},"validations":{"description":"Validations contain CEL expressions which is used to apply the image validation checks.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"ImageValidatingPolicy","version":"v1"}],"title":"io.kyverno.policies.v1.ImageValidatingPolicy"},"io.kyverno.policies.v1.ImageValidatingPolicyList":{"description":"ImageValidatingPolicyList is a list of ImageValidatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of imagevalidatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1.ImageValidatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"ImageValidatingPolicyList","version":"v1"}],"title":"io.kyverno.policies.v1.ImageValidatingPolicyList"},"io.kyverno.policies.v1.MutatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"MutatingPolicySpec is the specification of the desired behavior of the MutatingPolicy.","type":"object","properties":{"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"mutatingAdmissionPolicy":{"description":"MutatingAdmissionPolicy specifies whether to generate a Kubernetes MutatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes MutatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for mutating policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"},"mutateExisting":{"description":"MutateExisting controls whether existing resources are mutated.","type":"object","properties":{"enabled":{"description":"Enabled enables mutation of existing resources. Default is false.\nWhen spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.","type":"boolean"}}}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to evaluate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"mutations":{"description":"mutations contain operations to perform on matching objects.\nmutations may not be empty; a minimum of one mutation is required.\nmutations are evaluated in order, and are reinvoked according to\nthe reinvocationPolicy.\nThe mutations of a policy are invoked for each binding of this policy\nand reinvocation of mutations occurs on a per binding basis.","type":"array","items":{"description":"Mutation specifies the CEL expression which is used to apply the Mutation.","type":"object","required":["patchType"],"properties":{"applyConfiguration":{"description":"applyConfiguration defines the desired configuration values of an object.\nThe configuration is applied to the admission object using\n[structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).\nA CEL expression is used to create apply configuration.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create an apply configuration.\nref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression\nreturns an apply configuration to set a single field:\n\n\tObject{\n\t  spec: Object.spec{\n\t    serviceAccountName: \"example\"\n\t  }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of\nvalues not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"jsonPatch":{"description":"jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.\nA CEL expression is used to create the JSON patch.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).\nref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t  [\n\t    JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t    JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t  ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/spec/selector\",\n\t      value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t    }\n\t  ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t      value: \"test\"\n\t    },\n\t  ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n  See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n  integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a\n  [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n  function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)\nas well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"patchType":{"description":"patchType indicates the patch strategy used.\nAllowed values are \"ApplyConfiguration\" and \"JSONPatch\".\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"reinvocationPolicy":{"description":"reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding\nas part of a single admission evaluation.\nAllowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of\norder with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only\nreinvoked when mutations change the object after this mutation is invoked.\nRequired.","type":"string"},"targetMatchConstraints":{"description":"TargetMatchConstraints specifies what target mutation resources this policy is designed to evaluate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"expression":{"type":"string"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"MutatingPolicySpec is the specification of the desired behavior of the MutatingPolicy.","type":"object","properties":{"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"mutatingAdmissionPolicy":{"description":"MutatingAdmissionPolicy specifies whether to generate a Kubernetes MutatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes MutatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for mutating policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"},"mutateExisting":{"description":"MutateExisting controls whether existing resources are mutated.","type":"object","properties":{"enabled":{"description":"Enabled enables mutation of existing resources. Default is false.\nWhen spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.","type":"boolean"}}}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to evaluate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"mutations":{"description":"mutations contain operations to perform on matching objects.\nmutations may not be empty; a minimum of one mutation is required.\nmutations are evaluated in order, and are reinvoked according to\nthe reinvocationPolicy.\nThe mutations of a policy are invoked for each binding of this policy\nand reinvocation of mutations occurs on a per binding basis.","type":"array","items":{"description":"Mutation specifies the CEL expression which is used to apply the Mutation.","type":"object","required":["patchType"],"properties":{"applyConfiguration":{"description":"applyConfiguration defines the desired configuration values of an object.\nThe configuration is applied to the admission object using\n[structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).\nA CEL expression is used to create apply configuration.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create an apply configuration.\nref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression\nreturns an apply configuration to set a single field:\n\n\tObject{\n\t  spec: Object.spec{\n\t    serviceAccountName: \"example\"\n\t  }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of\nvalues not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"jsonPatch":{"description":"jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.\nA CEL expression is used to create the JSON patch.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).\nref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t  [\n\t    JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t    JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t  ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/spec/selector\",\n\t      value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t    }\n\t  ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t      value: \"test\"\n\t    },\n\t  ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n  See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n  integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a\n  [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n  function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)\nas well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"patchType":{"description":"patchType indicates the patch strategy used.\nAllowed values are \"ApplyConfiguration\" and \"JSONPatch\".\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"reinvocationPolicy":{"description":"reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding\nas part of a single admission evaluation.\nAllowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of\norder with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only\nreinvoked when mutations change the object after this mutation is invoked.\nRequired.","type":"string"},"targetMatchConstraints":{"description":"TargetMatchConstraints specifies what target mutation resources this policy is designed to evaluate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"expression":{"type":"string"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"generated":{"description":"Generated indicates whether a MutatingAdmissionPolicy is generated from the policy or not","type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"MutatingPolicy","version":"v1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1.MutatingPolicy"},"io.kyverno.policies.v1.MutatingPolicyList":{"description":"MutatingPolicyList is a list of MutatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of mutatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1.MutatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"MutatingPolicyList","version":"v1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1.MutatingPolicyList"},"io.kyverno.policies.v1.NamespacedDeletingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DeletingPolicySpec is the specification of the desired behavior of the DeletingPolicy.","type":"object","required":["schedule"],"properties":{"conditions":{"description":"Conditions is a list of conditions that must be met for a resource to be deleted.\nConditions filter resources that have already been matched by the match constraints,\nnamespaceSelector, and objectSelector. An empty list of conditions matches all resources.\nThere are a maximum of 64 conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY condition evaluates to FALSE, the policy is skipped.\n  2. If ALL conditions evaluate to TRUE, the policy is executed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"deletionPropagationPolicy":{"description":"DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).","type":"string","enum":["Foreground","Background","Orphan"]},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"schedule":{"description":"The schedule in Cron format\nRequired.","type":"string"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"lastExecutionTime":{"type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedDeletingPolicy","version":"v1"}],"title":"io.kyverno.policies.v1.NamespacedDeletingPolicy"},"io.kyverno.policies.v1.NamespacedDeletingPolicyList":{"description":"NamespacedDeletingPolicyList is a list of NamespacedDeletingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of namespaceddeletingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1.NamespacedDeletingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedDeletingPolicyList","version":"v1"}],"title":"io.kyverno.policies.v1.NamespacedDeletingPolicyList"},"io.kyverno.policies.v1.NamespacedGeneratingPolicy":{"description":"NamespacedGeneratingPolicy is the namespaced CEL-based generating policy.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"GeneratingPolicySpec is the specification of the desired behavior of the GeneratingPolicy.","type":"object","required":["generate"],"properties":{"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"generateExisting":{"description":"GenerateExisting defines the configuration for generating resources for existing triggeres.","type":"object","properties":{"enabled":{"description":"Enabled controls whether to trigger the policy for existing resources\nIf is set to \"true\" the policy will be triggered and applied to existing matched resources.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete defines the configuration for orphaning downstream resources on policy delete.","type":"object","properties":{"enabled":{"description":"Enabled controls whether generated resources should be deleted when the policy that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"synchronize":{"description":"Synchronization defines the configuration for the synchronization of generated resources.","type":"object","properties":{"enabled":{"description":"Enabled controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"generate":{"description":"Generation defines a set of CEL expressions that will be evaluated to generate resources.\nRequired.","type":"array","minItems":1,"items":{"description":"Generation defines the configuration for the generation of resources.","type":"object","properties":{"expression":{"description":"Expression is a CEL expression that takes a list of resources to be generated.","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources will trigger this policy.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedGeneratingPolicy","version":"v1"}],"title":"io.kyverno.policies.v1.NamespacedGeneratingPolicy"},"io.kyverno.policies.v1.NamespacedGeneratingPolicyList":{"description":"NamespacedGeneratingPolicyList is a list of NamespacedGeneratingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of namespacedgeneratingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1.NamespacedGeneratingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedGeneratingPolicyList","version":"v1"}],"title":"io.kyverno.policies.v1.NamespacedGeneratingPolicyList"},"io.kyverno.policies.v1.NamespacedImageValidatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.","type":"object","required":["attestors","validations"],"properties":{"attestations":{"description":"Attestations provides a list of image metadata to verify","type":"array","items":{"description":"Attestation defines the identification details of the  metadata that has to be verified","type":"object","required":["name"],"properties":{"intoto":{"description":"InToto defines the details of attestation attached using intoto format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation contained within the statement.","type":"string"}}},"name":{"description":"Name is the name for this attestation. It is used to refer to the attestation in verification","type":"string"},"referrer":{"description":"Referrer defines the details of attestation attached using OCI 1.1 format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation attached to the image.","type":"string"}}}}}},"attestors":{"description":"Attestors provides a list of trusted authorities.","type":"array","items":{"description":"Attestor is an identity that confirms or verifies the authenticity of an image or an attestation","type":"object","required":["name"],"properties":{"cosign":{"description":"Cosign defines attestor configuration for Cosign based signatures","type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"certificate":{"description":"Certificate defines the configuration for local signature verification","type":"object","properties":{"cert":{"description":"Certificate is the to the public certificate for local signature verification.","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"certChain":{"description":"CertificateChain is the list of CA certificates in PEM format which will be needed\nwhen building the certificate chain for the signing certificate. Must start with the\nparent intermediate CA certificate of the signing certificate and end with the root certificate","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}},"ctlog":{"description":"CTLog sets the configuration to verify the authority against a Rekor instance.","type":"object","properties":{"ctLogPubKey":{"description":"CTLogPubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"insecureIgnoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"insecureIgnoreTlog":{"description":"InsecureIgnoreTlog skips transparency log verification.","type":"boolean"},"rekorPubKey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"},"url":{"description":"URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)","type":"string"}}},"key":{"description":"Key defines the type of key to validate the image.","type":"object","properties":{"data":{"description":"Data contains the inline public key","type":"string"},"expression":{"description":"Expression is a Expression expression that returns the public key.","type":"string"},"hashAlgorithm":{"description":"HashAlgorithm specifues signature algorithm for public keys. Supported values are\nsha224, sha256, sha384 and sha512. Defaults to sha256.","type":"string"},"kms":{"description":"KMS contains the KMS url of the public key\nSupported formats differ based on the KMS system used.","type":"string"}}},"keyless":{"description":"Keyless sets the configuration to verify the authority against a Fulcio instance.","type":"object","required":["identities"],"properties":{"identities":{"description":"Identities sets a list of identities.","type":"array","items":{"description":"Identity may contain the issuer and/or the subject found in the transparency\nlog.\nIssuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\napply a regexp for matching.","type":"object","properties":{"issuer":{"description":"Issuer defines the issuer for this identity.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp specifies a regular expression to match the issuer for this identity.","type":"string"},"subject":{"description":"Subject defines the subject for this identity.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp specifies a regular expression to match the subject for this identity.","type":"string"}}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"}}},"source":{"description":"Sources sets the configuration to specify the sources from where to consume the signature and attestations.","type":"object","properties":{"PullSecrets":{"description":"SignaturePullSecrets is an optional list of references to secrets in the\nsame namespace as the deploying resource for pulling any of the signatures\nused by this Source.","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"repository":{"description":"Repository defines the location from where to pull the signature / attestations.","type":"string"},"tagPrefix":{"description":"TagPrefix is an optional prefix that signature and attestations have.\nThis is the 'tag based discovery' and in the future once references are\nfully supported that should likely be the preferred way to handle these.","type":"string"}}},"tuf":{"description":"TUF defines the configuration to fetch sigstore root","type":"object","properties":{"mirror":{"description":"Mirror is the base URL of Sigstore TUF repository","type":"string"},"root":{"description":"Root defines the path or data of the trusted root","type":"object","properties":{"data":{"description":"Data is the base64 encoded TUF root","type":"string"},"path":{"description":"Path is the URL or File location of the TUF root","type":"string"}}}}}}},"name":{"description":"Name is the name for this attestor. It is used to refer to the attestor in verification","type":"string"},"notary":{"description":"Notary defines attestor configuration for Notary based signatures","type":"object","properties":{"certs":{"description":"Certs define the cert chain for Notary signature verification","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"tsaCerts":{"description":"TSACerts define the cert chain for verifying timestamps of notary signature","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}}}}},"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"credentials":{"description":"Credentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"CredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"FailurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.","type":"string","enum":["Ignore","Fail"]},"images":{"description":"ImageExtractors is a list of CEL expression to extract images from the resource","type":"array","items":{"type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression defines CEL expression to extract images from the resource.","type":"string"},"name":{"description":"Name is the name for this imageList. It is used to refer to the images in verification block as images.<name>","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"matchImageReferences":{"description":"MatchImageReferences is a list of Glob and CELExpressions to match images.\nAny image that matches one of the rules is considered for validation\nAny image that does not match a rule is skipped, even when they are passed as arguments to\nimage verification functions","type":"array","items":{"description":"MatchImageReference defines a Glob or a CEL expression for matching images","type":"object","properties":{"expression":{"description":"Expression defines CEL Expressions for matching images","type":"string"},"glob":{"description":"Glob defines a globbing pattern for matching images","type":"string"}}}},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validationConfigurations":{"description":"ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.","type":"object","properties":{"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"required":{"description":"Required validates that images are verified, i.e., have passed a signature or attestation check.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}},"validations":{"description":"Validations contain CEL expressions which is used to apply the image validation checks.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.","type":"object","required":["attestors","validations"],"properties":{"attestations":{"description":"Attestations provides a list of image metadata to verify","type":"array","items":{"description":"Attestation defines the identification details of the  metadata that has to be verified","type":"object","required":["name"],"properties":{"intoto":{"description":"InToto defines the details of attestation attached using intoto format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation contained within the statement.","type":"string"}}},"name":{"description":"Name is the name for this attestation. It is used to refer to the attestation in verification","type":"string"},"referrer":{"description":"Referrer defines the details of attestation attached using OCI 1.1 format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation attached to the image.","type":"string"}}}}}},"attestors":{"description":"Attestors provides a list of trusted authorities.","type":"array","items":{"description":"Attestor is an identity that confirms or verifies the authenticity of an image or an attestation","type":"object","required":["name"],"properties":{"cosign":{"description":"Cosign defines attestor configuration for Cosign based signatures","type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"certificate":{"description":"Certificate defines the configuration for local signature verification","type":"object","properties":{"cert":{"description":"Certificate is the to the public certificate for local signature verification.","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"certChain":{"description":"CertificateChain is the list of CA certificates in PEM format which will be needed\nwhen building the certificate chain for the signing certificate. Must start with the\nparent intermediate CA certificate of the signing certificate and end with the root certificate","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}},"ctlog":{"description":"CTLog sets the configuration to verify the authority against a Rekor instance.","type":"object","properties":{"ctLogPubKey":{"description":"CTLogPubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"insecureIgnoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"insecureIgnoreTlog":{"description":"InsecureIgnoreTlog skips transparency log verification.","type":"boolean"},"rekorPubKey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"},"url":{"description":"URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)","type":"string"}}},"key":{"description":"Key defines the type of key to validate the image.","type":"object","properties":{"data":{"description":"Data contains the inline public key","type":"string"},"expression":{"description":"Expression is a Expression expression that returns the public key.","type":"string"},"hashAlgorithm":{"description":"HashAlgorithm specifues signature algorithm for public keys. Supported values are\nsha224, sha256, sha384 and sha512. Defaults to sha256.","type":"string"},"kms":{"description":"KMS contains the KMS url of the public key\nSupported formats differ based on the KMS system used.","type":"string"}}},"keyless":{"description":"Keyless sets the configuration to verify the authority against a Fulcio instance.","type":"object","required":["identities"],"properties":{"identities":{"description":"Identities sets a list of identities.","type":"array","items":{"description":"Identity may contain the issuer and/or the subject found in the transparency\nlog.\nIssuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\napply a regexp for matching.","type":"object","properties":{"issuer":{"description":"Issuer defines the issuer for this identity.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp specifies a regular expression to match the issuer for this identity.","type":"string"},"subject":{"description":"Subject defines the subject for this identity.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp specifies a regular expression to match the subject for this identity.","type":"string"}}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"}}},"source":{"description":"Sources sets the configuration to specify the sources from where to consume the signature and attestations.","type":"object","properties":{"PullSecrets":{"description":"SignaturePullSecrets is an optional list of references to secrets in the\nsame namespace as the deploying resource for pulling any of the signatures\nused by this Source.","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"repository":{"description":"Repository defines the location from where to pull the signature / attestations.","type":"string"},"tagPrefix":{"description":"TagPrefix is an optional prefix that signature and attestations have.\nThis is the 'tag based discovery' and in the future once references are\nfully supported that should likely be the preferred way to handle these.","type":"string"}}},"tuf":{"description":"TUF defines the configuration to fetch sigstore root","type":"object","properties":{"mirror":{"description":"Mirror is the base URL of Sigstore TUF repository","type":"string"},"root":{"description":"Root defines the path or data of the trusted root","type":"object","properties":{"data":{"description":"Data is the base64 encoded TUF root","type":"string"},"path":{"description":"Path is the URL or File location of the TUF root","type":"string"}}}}}}},"name":{"description":"Name is the name for this attestor. It is used to refer to the attestor in verification","type":"string"},"notary":{"description":"Notary defines attestor configuration for Notary based signatures","type":"object","properties":{"certs":{"description":"Certs define the cert chain for Notary signature verification","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"tsaCerts":{"description":"TSACerts define the cert chain for verifying timestamps of notary signature","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}}}}},"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"credentials":{"description":"Credentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"CredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"FailurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.","type":"string","enum":["Ignore","Fail"]},"images":{"description":"ImageExtractors is a list of CEL expression to extract images from the resource","type":"array","items":{"type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression defines CEL expression to extract images from the resource.","type":"string"},"name":{"description":"Name is the name for this imageList. It is used to refer to the images in verification block as images.<name>","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"matchImageReferences":{"description":"MatchImageReferences is a list of Glob and CELExpressions to match images.\nAny image that matches one of the rules is considered for validation\nAny image that does not match a rule is skipped, even when they are passed as arguments to\nimage verification functions","type":"array","items":{"description":"MatchImageReference defines a Glob or a CEL expression for matching images","type":"object","properties":{"expression":{"description":"Expression defines CEL Expressions for matching images","type":"string"},"glob":{"description":"Glob defines a globbing pattern for matching images","type":"string"}}}},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validationConfigurations":{"description":"ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.","type":"object","properties":{"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"required":{"description":"Required validates that images are verified, i.e., have passed a signature or attestation check.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}},"validations":{"description":"Validations contain CEL expressions which is used to apply the image validation checks.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedImageValidatingPolicy","version":"v1"}],"title":"io.kyverno.policies.v1.NamespacedImageValidatingPolicy"},"io.kyverno.policies.v1.NamespacedImageValidatingPolicyList":{"description":"NamespacedImageValidatingPolicyList is a list of NamespacedImageValidatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of namespacedimagevalidatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1.NamespacedImageValidatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedImageValidatingPolicyList","version":"v1"}],"title":"io.kyverno.policies.v1.NamespacedImageValidatingPolicyList"},"io.kyverno.policies.v1.NamespacedMutatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"MutatingPolicySpec is the specification of the desired behavior of the MutatingPolicy.","type":"object","properties":{"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"mutatingAdmissionPolicy":{"description":"MutatingAdmissionPolicy specifies whether to generate a Kubernetes MutatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes MutatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for mutating policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"},"mutateExisting":{"description":"MutateExisting controls whether existing resources are mutated.","type":"object","properties":{"enabled":{"description":"Enabled enables mutation of existing resources. Default is false.\nWhen spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.","type":"boolean"}}}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to evaluate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"mutations":{"description":"mutations contain operations to perform on matching objects.\nmutations may not be empty; a minimum of one mutation is required.\nmutations are evaluated in order, and are reinvoked according to\nthe reinvocationPolicy.\nThe mutations of a policy are invoked for each binding of this policy\nand reinvocation of mutations occurs on a per binding basis.","type":"array","items":{"description":"Mutation specifies the CEL expression which is used to apply the Mutation.","type":"object","required":["patchType"],"properties":{"applyConfiguration":{"description":"applyConfiguration defines the desired configuration values of an object.\nThe configuration is applied to the admission object using\n[structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).\nA CEL expression is used to create apply configuration.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create an apply configuration.\nref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression\nreturns an apply configuration to set a single field:\n\n\tObject{\n\t  spec: Object.spec{\n\t    serviceAccountName: \"example\"\n\t  }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of\nvalues not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"jsonPatch":{"description":"jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.\nA CEL expression is used to create the JSON patch.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).\nref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t  [\n\t    JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t    JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t  ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/spec/selector\",\n\t      value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t    }\n\t  ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t      value: \"test\"\n\t    },\n\t  ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n  See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n  integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a\n  [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n  function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)\nas well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"patchType":{"description":"patchType indicates the patch strategy used.\nAllowed values are \"ApplyConfiguration\" and \"JSONPatch\".\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"reinvocationPolicy":{"description":"reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding\nas part of a single admission evaluation.\nAllowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of\norder with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only\nreinvoked when mutations change the object after this mutation is invoked.\nRequired.","type":"string"},"targetMatchConstraints":{"description":"TargetMatchConstraints specifies what target mutation resources this policy is designed to evaluate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"expression":{"type":"string"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"MutatingPolicySpec is the specification of the desired behavior of the MutatingPolicy.","type":"object","properties":{"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"mutatingAdmissionPolicy":{"description":"MutatingAdmissionPolicy specifies whether to generate a Kubernetes MutatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes MutatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for mutating policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"},"mutateExisting":{"description":"MutateExisting controls whether existing resources are mutated.","type":"object","properties":{"enabled":{"description":"Enabled enables mutation of existing resources. Default is false.\nWhen spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.","type":"boolean"}}}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to evaluate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"mutations":{"description":"mutations contain operations to perform on matching objects.\nmutations may not be empty; a minimum of one mutation is required.\nmutations are evaluated in order, and are reinvoked according to\nthe reinvocationPolicy.\nThe mutations of a policy are invoked for each binding of this policy\nand reinvocation of mutations occurs on a per binding basis.","type":"array","items":{"description":"Mutation specifies the CEL expression which is used to apply the Mutation.","type":"object","required":["patchType"],"properties":{"applyConfiguration":{"description":"applyConfiguration defines the desired configuration values of an object.\nThe configuration is applied to the admission object using\n[structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).\nA CEL expression is used to create apply configuration.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create an apply configuration.\nref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression\nreturns an apply configuration to set a single field:\n\n\tObject{\n\t  spec: Object.spec{\n\t    serviceAccountName: \"example\"\n\t  }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of\nvalues not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"jsonPatch":{"description":"jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.\nA CEL expression is used to create the JSON patch.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).\nref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t  [\n\t    JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t    JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t  ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/spec/selector\",\n\t      value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t    }\n\t  ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t      value: \"test\"\n\t    },\n\t  ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n  See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n  integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a\n  [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n  function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)\nas well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"patchType":{"description":"patchType indicates the patch strategy used.\nAllowed values are \"ApplyConfiguration\" and \"JSONPatch\".\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"reinvocationPolicy":{"description":"reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding\nas part of a single admission evaluation.\nAllowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of\norder with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only\nreinvoked when mutations change the object after this mutation is invoked.\nRequired.","type":"string"},"targetMatchConstraints":{"description":"TargetMatchConstraints specifies what target mutation resources this policy is designed to evaluate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"expression":{"type":"string"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"generated":{"description":"Generated indicates whether a MutatingAdmissionPolicy is generated from the policy or not","type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedMutatingPolicy","version":"v1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1.NamespacedMutatingPolicy"},"io.kyverno.policies.v1.NamespacedMutatingPolicyList":{"description":"NamespacedMutatingPolicyList is a list of NamespacedMutatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of namespacedmutatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1.NamespacedMutatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedMutatingPolicyList","version":"v1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1.NamespacedMutatingPolicyList"},"io.kyverno.policies.v1.NamespacedValidatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.","type":"object","properties":{"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}},"validatingAdmissionPolicy":{"description":"ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validations":{"description":"Validations contain CEL expressions which is used to apply the validation.\nValidations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is\nrequired.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.","type":"object","properties":{"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}},"validatingAdmissionPolicy":{"description":"ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validations":{"description":"Validations contain CEL expressions which is used to apply the validation.\nValidations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is\nrequired.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"generated":{"description":"Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not","type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedValidatingPolicy","version":"v1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1.NamespacedValidatingPolicy"},"io.kyverno.policies.v1.NamespacedValidatingPolicyList":{"description":"NamespacedValidatingPolicyList is a list of NamespacedValidatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of namespacedvalidatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1.NamespacedValidatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedValidatingPolicyList","version":"v1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1.NamespacedValidatingPolicyList"},"io.kyverno.policies.v1.PolicyException":{"description":"PolicyException declares resources to be excluded from specified policies.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy exception behaviors.","type":"object","required":["policyRefs"],"properties":{"allowedValues":{"description":"AllowedValues specifies values that can be used in CEL expressions to bypass policy checks.\nThese values can be referenced in CEL expressions via `exceptions.allowedValues`.","type":"array","items":{"type":"string"}},"images":{"description":"Images specifies container images to be excluded from policy evaluation.\nThese excluded images can be referenced in CEL expressions via `exceptions.allowedImages`.","type":"array","items":{"type":"string"}},"matchConditions":{"description":"MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"policyRefs":{"description":"PolicyRefs identifies the policies to which the exception is applied.","type":"array","items":{"type":"object","required":["kind","name"],"properties":{"kind":{"description":"Kind is the kind of the policy","type":"string"},"name":{"description":"Name is the name of the policy","type":"string"}}}},"reportResult":{"description":"ReportResult indicates whether the policy exception should be reported in the policy report\nas a skip result or pass result. Defaults to \"skip\".","type":"string","enum":["skip","pass"]}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"PolicyException","version":"v1"}],"title":"io.kyverno.policies.v1.PolicyException"},"io.kyverno.policies.v1.PolicyExceptionList":{"description":"PolicyExceptionList is a list of PolicyException","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of policyexceptions. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1.PolicyException"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"PolicyExceptionList","version":"v1"}],"title":"io.kyverno.policies.v1.PolicyExceptionList"},"io.kyverno.policies.v1.ValidatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.","type":"object","properties":{"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}},"validatingAdmissionPolicy":{"description":"ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validations":{"description":"Validations contain CEL expressions which is used to apply the validation.\nValidations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is\nrequired.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.","type":"object","properties":{"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}},"validatingAdmissionPolicy":{"description":"ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validations":{"description":"Validations contain CEL expressions which is used to apply the validation.\nValidations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is\nrequired.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"generated":{"description":"Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not","type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"ValidatingPolicy","version":"v1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1.ValidatingPolicy"},"io.kyverno.policies.v1.ValidatingPolicyList":{"description":"ValidatingPolicyList is a list of ValidatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of validatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1.ValidatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"ValidatingPolicyList","version":"v1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1.ValidatingPolicyList"},"io.kyverno.policies.v1alpha1.DeletingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DeletingPolicySpec is the specification of the desired behavior of the DeletingPolicy.","type":"object","required":["schedule"],"properties":{"conditions":{"description":"Conditions is a list of conditions that must be met for a resource to be deleted.\nConditions filter resources that have already been matched by the match constraints,\nnamespaceSelector, and objectSelector. An empty list of conditions matches all resources.\nThere are a maximum of 64 conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY condition evaluates to FALSE, the policy is skipped.\n  2. If ALL conditions evaluate to TRUE, the policy is executed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"deletionPropagationPolicy":{"description":"DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).","type":"string","enum":["Foreground","Background","Orphan"]},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"schedule":{"description":"The schedule in Cron format\nRequired.","type":"string"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"lastExecutionTime":{"type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"DeletingPolicy","version":"v1alpha1"}],"title":"io.kyverno.policies.v1alpha1.DeletingPolicy"},"io.kyverno.policies.v1alpha1.DeletingPolicyList":{"description":"DeletingPolicyList is a list of DeletingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of deletingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1alpha1.DeletingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"DeletingPolicyList","version":"v1alpha1"}],"title":"io.kyverno.policies.v1alpha1.DeletingPolicyList"},"io.kyverno.policies.v1alpha1.GeneratingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"GeneratingPolicySpec is the specification of the desired behavior of the GeneratingPolicy.","type":"object","required":["generate"],"properties":{"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"generateExisting":{"description":"GenerateExisting defines the configuration for generating resources for existing triggeres.","type":"object","properties":{"enabled":{"description":"Enabled controls whether to trigger the policy for existing resources\nIf is set to \"true\" the policy will be triggered and applied to existing matched resources.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete defines the configuration for orphaning downstream resources on policy delete.","type":"object","properties":{"enabled":{"description":"Enabled controls whether generated resources should be deleted when the policy that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"synchronize":{"description":"Synchronization defines the configuration for the synchronization of generated resources.","type":"object","properties":{"enabled":{"description":"Enabled controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"generate":{"description":"Generation defines a set of CEL expressions that will be evaluated to generate resources.\nRequired.","type":"array","minItems":1,"items":{"description":"Generation defines the configuration for the generation of resources.","type":"object","properties":{"expression":{"description":"Expression is a CEL expression that takes a list of resources to be generated.","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources will trigger this policy.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"GeneratingPolicy","version":"v1alpha1"}],"title":"io.kyverno.policies.v1alpha1.GeneratingPolicy"},"io.kyverno.policies.v1alpha1.GeneratingPolicyList":{"description":"GeneratingPolicyList is a list of GeneratingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of generatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1alpha1.GeneratingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"GeneratingPolicyList","version":"v1alpha1"}],"title":"io.kyverno.policies.v1alpha1.GeneratingPolicyList"},"io.kyverno.policies.v1alpha1.ImageValidatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.","type":"object","required":["attestors","validations"],"properties":{"attestations":{"description":"Attestations provides a list of image metadata to verify","type":"array","items":{"description":"Attestation defines the identification details of the  metadata that has to be verified","type":"object","required":["name"],"properties":{"intoto":{"description":"InToto defines the details of attestation attached using intoto format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation contained within the statement.","type":"string"}}},"name":{"description":"Name is the name for this attestation. It is used to refer to the attestation in verification","type":"string"},"referrer":{"description":"Referrer defines the details of attestation attached using OCI 1.1 format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation attached to the image.","type":"string"}}}}}},"attestors":{"description":"Attestors provides a list of trusted authorities.","type":"array","items":{"description":"Attestor is an identity that confirms or verifies the authenticity of an image or an attestation","type":"object","required":["name"],"properties":{"cosign":{"description":"Cosign defines attestor configuration for Cosign based signatures","type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"certificate":{"description":"Certificate defines the configuration for local signature verification","type":"object","properties":{"cert":{"description":"Certificate is the to the public certificate for local signature verification.","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"certChain":{"description":"CertificateChain is the list of CA certificates in PEM format which will be needed\nwhen building the certificate chain for the signing certificate. Must start with the\nparent intermediate CA certificate of the signing certificate and end with the root certificate","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}},"ctlog":{"description":"CTLog sets the configuration to verify the authority against a Rekor instance.","type":"object","properties":{"ctLogPubKey":{"description":"CTLogPubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"insecureIgnoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"insecureIgnoreTlog":{"description":"InsecureIgnoreTlog skips transparency log verification.","type":"boolean"},"rekorPubKey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"},"url":{"description":"URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)","type":"string"}}},"key":{"description":"Key defines the type of key to validate the image.","type":"object","properties":{"data":{"description":"Data contains the inline public key","type":"string"},"expression":{"description":"Expression is a Expression expression that returns the public key.","type":"string"},"hashAlgorithm":{"description":"HashAlgorithm specifues signature algorithm for public keys. Supported values are\nsha224, sha256, sha384 and sha512. Defaults to sha256.","type":"string"},"kms":{"description":"KMS contains the KMS url of the public key\nSupported formats differ based on the KMS system used.","type":"string"}}},"keyless":{"description":"Keyless sets the configuration to verify the authority against a Fulcio instance.","type":"object","required":["identities"],"properties":{"identities":{"description":"Identities sets a list of identities.","type":"array","items":{"description":"Identity may contain the issuer and/or the subject found in the transparency\nlog.\nIssuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\napply a regexp for matching.","type":"object","properties":{"issuer":{"description":"Issuer defines the issuer for this identity.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp specifies a regular expression to match the issuer for this identity.","type":"string"},"subject":{"description":"Subject defines the subject for this identity.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp specifies a regular expression to match the subject for this identity.","type":"string"}}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"}}},"source":{"description":"Sources sets the configuration to specify the sources from where to consume the signature and attestations.","type":"object","properties":{"PullSecrets":{"description":"SignaturePullSecrets is an optional list of references to secrets in the\nsame namespace as the deploying resource for pulling any of the signatures\nused by this Source.","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"repository":{"description":"Repository defines the location from where to pull the signature / attestations.","type":"string"},"tagPrefix":{"description":"TagPrefix is an optional prefix that signature and attestations have.\nThis is the 'tag based discovery' and in the future once references are\nfully supported that should likely be the preferred way to handle these.","type":"string"}}},"tuf":{"description":"TUF defines the configuration to fetch sigstore root","type":"object","properties":{"mirror":{"description":"Mirror is the base URL of Sigstore TUF repository","type":"string"},"root":{"description":"Root defines the path or data of the trusted root","type":"object","properties":{"data":{"description":"Data is the base64 encoded TUF root","type":"string"},"path":{"description":"Path is the URL or File location of the TUF root","type":"string"}}}}}}},"name":{"description":"Name is the name for this attestor. It is used to refer to the attestor in verification","type":"string"},"notary":{"description":"Notary defines attestor configuration for Notary based signatures","type":"object","properties":{"certs":{"description":"Certs define the cert chain for Notary signature verification","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"tsaCerts":{"description":"TSACerts define the cert chain for verifying timestamps of notary signature","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}}}}},"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"credentials":{"description":"Credentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"CredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"FailurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.","type":"string","enum":["Ignore","Fail"]},"images":{"description":"ImageExtractors is a list of CEL expression to extract images from the resource","type":"array","items":{"type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression defines CEL expression to extract images from the resource.","type":"string"},"name":{"description":"Name is the name for this imageList. It is used to refer to the images in verification block as images.<name>","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"matchImageReferences":{"description":"MatchImageReferences is a list of Glob and CELExpressions to match images.\nAny image that matches one of the rules is considered for validation\nAny image that does not match a rule is skipped, even when they are passed as arguments to\nimage verification functions","type":"array","items":{"description":"MatchImageReference defines a Glob or a CEL expression for matching images","type":"object","properties":{"expression":{"description":"Expression defines CEL Expressions for matching images","type":"string"},"glob":{"description":"Glob defines a globbing pattern for matching images","type":"string"}}}},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validationConfigurations":{"description":"ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.","type":"object","properties":{"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"required":{"description":"Required validates that images are verified, i.e., have passed a signature or attestation check.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}},"validations":{"description":"Validations contain CEL expressions which is used to apply the image validation checks.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.","type":"object","required":["attestors","validations"],"properties":{"attestations":{"description":"Attestations provides a list of image metadata to verify","type":"array","items":{"description":"Attestation defines the identification details of the  metadata that has to be verified","type":"object","required":["name"],"properties":{"intoto":{"description":"InToto defines the details of attestation attached using intoto format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation contained within the statement.","type":"string"}}},"name":{"description":"Name is the name for this attestation. It is used to refer to the attestation in verification","type":"string"},"referrer":{"description":"Referrer defines the details of attestation attached using OCI 1.1 format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation attached to the image.","type":"string"}}}}}},"attestors":{"description":"Attestors provides a list of trusted authorities.","type":"array","items":{"description":"Attestor is an identity that confirms or verifies the authenticity of an image or an attestation","type":"object","required":["name"],"properties":{"cosign":{"description":"Cosign defines attestor configuration for Cosign based signatures","type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"certificate":{"description":"Certificate defines the configuration for local signature verification","type":"object","properties":{"cert":{"description":"Certificate is the to the public certificate for local signature verification.","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"certChain":{"description":"CertificateChain is the list of CA certificates in PEM format which will be needed\nwhen building the certificate chain for the signing certificate. Must start with the\nparent intermediate CA certificate of the signing certificate and end with the root certificate","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}},"ctlog":{"description":"CTLog sets the configuration to verify the authority against a Rekor instance.","type":"object","properties":{"ctLogPubKey":{"description":"CTLogPubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"insecureIgnoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"insecureIgnoreTlog":{"description":"InsecureIgnoreTlog skips transparency log verification.","type":"boolean"},"rekorPubKey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"},"url":{"description":"URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)","type":"string"}}},"key":{"description":"Key defines the type of key to validate the image.","type":"object","properties":{"data":{"description":"Data contains the inline public key","type":"string"},"expression":{"description":"Expression is a Expression expression that returns the public key.","type":"string"},"hashAlgorithm":{"description":"HashAlgorithm specifues signature algorithm for public keys. Supported values are\nsha224, sha256, sha384 and sha512. Defaults to sha256.","type":"string"},"kms":{"description":"KMS contains the KMS url of the public key\nSupported formats differ based on the KMS system used.","type":"string"}}},"keyless":{"description":"Keyless sets the configuration to verify the authority against a Fulcio instance.","type":"object","required":["identities"],"properties":{"identities":{"description":"Identities sets a list of identities.","type":"array","items":{"description":"Identity may contain the issuer and/or the subject found in the transparency\nlog.\nIssuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\napply a regexp for matching.","type":"object","properties":{"issuer":{"description":"Issuer defines the issuer for this identity.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp specifies a regular expression to match the issuer for this identity.","type":"string"},"subject":{"description":"Subject defines the subject for this identity.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp specifies a regular expression to match the subject for this identity.","type":"string"}}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"}}},"source":{"description":"Sources sets the configuration to specify the sources from where to consume the signature and attestations.","type":"object","properties":{"PullSecrets":{"description":"SignaturePullSecrets is an optional list of references to secrets in the\nsame namespace as the deploying resource for pulling any of the signatures\nused by this Source.","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"repository":{"description":"Repository defines the location from where to pull the signature / attestations.","type":"string"},"tagPrefix":{"description":"TagPrefix is an optional prefix that signature and attestations have.\nThis is the 'tag based discovery' and in the future once references are\nfully supported that should likely be the preferred way to handle these.","type":"string"}}},"tuf":{"description":"TUF defines the configuration to fetch sigstore root","type":"object","properties":{"mirror":{"description":"Mirror is the base URL of Sigstore TUF repository","type":"string"},"root":{"description":"Root defines the path or data of the trusted root","type":"object","properties":{"data":{"description":"Data is the base64 encoded TUF root","type":"string"},"path":{"description":"Path is the URL or File location of the TUF root","type":"string"}}}}}}},"name":{"description":"Name is the name for this attestor. It is used to refer to the attestor in verification","type":"string"},"notary":{"description":"Notary defines attestor configuration for Notary based signatures","type":"object","properties":{"certs":{"description":"Certs define the cert chain for Notary signature verification","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"tsaCerts":{"description":"TSACerts define the cert chain for verifying timestamps of notary signature","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}}}}},"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"credentials":{"description":"Credentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"CredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"FailurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.","type":"string","enum":["Ignore","Fail"]},"images":{"description":"ImageExtractors is a list of CEL expression to extract images from the resource","type":"array","items":{"type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression defines CEL expression to extract images from the resource.","type":"string"},"name":{"description":"Name is the name for this imageList. It is used to refer to the images in verification block as images.<name>","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"matchImageReferences":{"description":"MatchImageReferences is a list of Glob and CELExpressions to match images.\nAny image that matches one of the rules is considered for validation\nAny image that does not match a rule is skipped, even when they are passed as arguments to\nimage verification functions","type":"array","items":{"description":"MatchImageReference defines a Glob or a CEL expression for matching images","type":"object","properties":{"expression":{"description":"Expression defines CEL Expressions for matching images","type":"string"},"glob":{"description":"Glob defines a globbing pattern for matching images","type":"string"}}}},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validationConfigurations":{"description":"ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.","type":"object","properties":{"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"required":{"description":"Required validates that images are verified, i.e., have passed a signature or attestation check.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}},"validations":{"description":"Validations contain CEL expressions which is used to apply the image validation checks.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"ImageValidatingPolicy","version":"v1alpha1"}],"title":"io.kyverno.policies.v1alpha1.ImageValidatingPolicy"},"io.kyverno.policies.v1alpha1.ImageValidatingPolicyList":{"description":"ImageValidatingPolicyList is a list of ImageValidatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of imagevalidatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1alpha1.ImageValidatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"ImageValidatingPolicyList","version":"v1alpha1"}],"title":"io.kyverno.policies.v1alpha1.ImageValidatingPolicyList"},"io.kyverno.policies.v1alpha1.MutatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"MutatingPolicySpec is the specification of the desired behavior of the MutatingPolicy.","type":"object","properties":{"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"mutatingAdmissionPolicy":{"description":"MutatingAdmissionPolicy specifies whether to generate a Kubernetes MutatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes MutatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for mutating policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"},"mutateExisting":{"description":"MutateExisting controls whether existing resources are mutated.","type":"object","properties":{"enabled":{"description":"Enabled enables mutation of existing resources. Default is false.\nWhen spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.","type":"boolean"}}}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to evaluate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"mutations":{"description":"mutations contain operations to perform on matching objects.\nmutations may not be empty; a minimum of one mutation is required.\nmutations are evaluated in order, and are reinvoked according to\nthe reinvocationPolicy.\nThe mutations of a policy are invoked for each binding of this policy\nand reinvocation of mutations occurs on a per binding basis.","type":"array","items":{"description":"Mutation specifies the CEL expression which is used to apply the Mutation.","type":"object","required":["patchType"],"properties":{"applyConfiguration":{"description":"applyConfiguration defines the desired configuration values of an object.\nThe configuration is applied to the admission object using\n[structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).\nA CEL expression is used to create apply configuration.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create an apply configuration.\nref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression\nreturns an apply configuration to set a single field:\n\n\tObject{\n\t  spec: Object.spec{\n\t    serviceAccountName: \"example\"\n\t  }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of\nvalues not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"jsonPatch":{"description":"jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.\nA CEL expression is used to create the JSON patch.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).\nref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t  [\n\t    JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t    JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t  ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/spec/selector\",\n\t      value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t    }\n\t  ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t      value: \"test\"\n\t    },\n\t  ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n  See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n  integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a\n  [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n  function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)\nas well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"patchType":{"description":"patchType indicates the patch strategy used.\nAllowed values are \"ApplyConfiguration\" and \"JSONPatch\".\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"reinvocationPolicy":{"description":"reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding\nas part of a single admission evaluation.\nAllowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of\norder with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only\nreinvoked when mutations change the object after this mutation is invoked.\nRequired.","type":"string"},"targetMatchConstraints":{"description":"TargetMatchConstraints specifies what target mutation resources this policy is designed to evaluate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"expression":{"type":"string"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"MutatingPolicySpec is the specification of the desired behavior of the MutatingPolicy.","type":"object","properties":{"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"mutatingAdmissionPolicy":{"description":"MutatingAdmissionPolicy specifies whether to generate a Kubernetes MutatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes MutatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for mutating policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"},"mutateExisting":{"description":"MutateExisting controls whether existing resources are mutated.","type":"object","properties":{"enabled":{"description":"Enabled enables mutation of existing resources. Default is false.\nWhen spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.","type":"boolean"}}}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to evaluate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"mutations":{"description":"mutations contain operations to perform on matching objects.\nmutations may not be empty; a minimum of one mutation is required.\nmutations are evaluated in order, and are reinvoked according to\nthe reinvocationPolicy.\nThe mutations of a policy are invoked for each binding of this policy\nand reinvocation of mutations occurs on a per binding basis.","type":"array","items":{"description":"Mutation specifies the CEL expression which is used to apply the Mutation.","type":"object","required":["patchType"],"properties":{"applyConfiguration":{"description":"applyConfiguration defines the desired configuration values of an object.\nThe configuration is applied to the admission object using\n[structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).\nA CEL expression is used to create apply configuration.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create an apply configuration.\nref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression\nreturns an apply configuration to set a single field:\n\n\tObject{\n\t  spec: Object.spec{\n\t    serviceAccountName: \"example\"\n\t  }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of\nvalues not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"jsonPatch":{"description":"jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.\nA CEL expression is used to create the JSON patch.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).\nref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t  [\n\t    JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t    JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t  ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/spec/selector\",\n\t      value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t    }\n\t  ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t      value: \"test\"\n\t    },\n\t  ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n  See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n  integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a\n  [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n  function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)\nas well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"patchType":{"description":"patchType indicates the patch strategy used.\nAllowed values are \"ApplyConfiguration\" and \"JSONPatch\".\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"reinvocationPolicy":{"description":"reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding\nas part of a single admission evaluation.\nAllowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of\norder with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only\nreinvoked when mutations change the object after this mutation is invoked.\nRequired.","type":"string"},"targetMatchConstraints":{"description":"TargetMatchConstraints specifies what target mutation resources this policy is designed to evaluate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"expression":{"type":"string"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"generated":{"description":"Generated indicates whether a MutatingAdmissionPolicy is generated from the policy or not","type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"MutatingPolicy","version":"v1alpha1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1alpha1.MutatingPolicy"},"io.kyverno.policies.v1alpha1.MutatingPolicyList":{"description":"MutatingPolicyList is a list of MutatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of mutatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1alpha1.MutatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"MutatingPolicyList","version":"v1alpha1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1alpha1.MutatingPolicyList"},"io.kyverno.policies.v1alpha1.PolicyException":{"description":"PolicyException declares resources to be excluded from specified policies.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy exception behaviors.","type":"object","required":["policyRefs"],"properties":{"allowedValues":{"description":"AllowedValues specifies values that can be used in CEL expressions to bypass policy checks.\nThese values can be referenced in CEL expressions via `exceptions.allowedValues`.","type":"array","items":{"type":"string"}},"images":{"description":"Images specifies container images to be excluded from policy evaluation.\nThese excluded images can be referenced in CEL expressions via `exceptions.allowedImages`.","type":"array","items":{"type":"string"}},"matchConditions":{"description":"MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"policyRefs":{"description":"PolicyRefs identifies the policies to which the exception is applied.","type":"array","items":{"type":"object","required":["kind","name"],"properties":{"kind":{"description":"Kind is the kind of the policy","type":"string"},"name":{"description":"Name is the name of the policy","type":"string"}}}},"reportResult":{"description":"ReportResult indicates whether the policy exception should be reported in the policy report\nas a skip result or pass result. Defaults to \"skip\".","type":"string","enum":["skip","pass"]}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"PolicyException","version":"v1alpha1"}],"title":"io.kyverno.policies.v1alpha1.PolicyException"},"io.kyverno.policies.v1alpha1.PolicyExceptionList":{"description":"PolicyExceptionList is a list of PolicyException","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of policyexceptions. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1alpha1.PolicyException"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"PolicyExceptionList","version":"v1alpha1"}],"title":"io.kyverno.policies.v1alpha1.PolicyExceptionList"},"io.kyverno.policies.v1alpha1.ValidatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.","type":"object","properties":{"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}},"validatingAdmissionPolicy":{"description":"ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validations":{"description":"Validations contain CEL expressions which is used to apply the validation.\nValidations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is\nrequired.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.","type":"object","properties":{"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}},"validatingAdmissionPolicy":{"description":"ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validations":{"description":"Validations contain CEL expressions which is used to apply the validation.\nValidations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is\nrequired.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"generated":{"description":"Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not","type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"ValidatingPolicy","version":"v1alpha1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1alpha1.ValidatingPolicy"},"io.kyverno.policies.v1alpha1.ValidatingPolicyList":{"description":"ValidatingPolicyList is a list of ValidatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of validatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1alpha1.ValidatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"ValidatingPolicyList","version":"v1alpha1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1alpha1.ValidatingPolicyList"},"io.kyverno.policies.v1beta1.DeletingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DeletingPolicySpec is the specification of the desired behavior of the DeletingPolicy.","type":"object","required":["schedule"],"properties":{"conditions":{"description":"Conditions is a list of conditions that must be met for a resource to be deleted.\nConditions filter resources that have already been matched by the match constraints,\nnamespaceSelector, and objectSelector. An empty list of conditions matches all resources.\nThere are a maximum of 64 conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY condition evaluates to FALSE, the policy is skipped.\n  2. If ALL conditions evaluate to TRUE, the policy is executed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"deletionPropagationPolicy":{"description":"DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).","type":"string","enum":["Foreground","Background","Orphan"]},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"schedule":{"description":"The schedule in Cron format\nRequired.","type":"string"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"lastExecutionTime":{"type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"DeletingPolicy","version":"v1beta1"}],"title":"io.kyverno.policies.v1beta1.DeletingPolicy"},"io.kyverno.policies.v1beta1.DeletingPolicyList":{"description":"DeletingPolicyList is a list of DeletingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of deletingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1beta1.DeletingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"DeletingPolicyList","version":"v1beta1"}],"title":"io.kyverno.policies.v1beta1.DeletingPolicyList"},"io.kyverno.policies.v1beta1.GeneratingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"GeneratingPolicySpec is the specification of the desired behavior of the GeneratingPolicy.","type":"object","required":["generate"],"properties":{"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"generateExisting":{"description":"GenerateExisting defines the configuration for generating resources for existing triggeres.","type":"object","properties":{"enabled":{"description":"Enabled controls whether to trigger the policy for existing resources\nIf is set to \"true\" the policy will be triggered and applied to existing matched resources.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete defines the configuration for orphaning downstream resources on policy delete.","type":"object","properties":{"enabled":{"description":"Enabled controls whether generated resources should be deleted when the policy that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"synchronize":{"description":"Synchronization defines the configuration for the synchronization of generated resources.","type":"object","properties":{"enabled":{"description":"Enabled controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"generate":{"description":"Generation defines a set of CEL expressions that will be evaluated to generate resources.\nRequired.","type":"array","minItems":1,"items":{"description":"Generation defines the configuration for the generation of resources.","type":"object","properties":{"expression":{"description":"Expression is a CEL expression that takes a list of resources to be generated.","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources will trigger this policy.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"GeneratingPolicy","version":"v1beta1"}],"title":"io.kyverno.policies.v1beta1.GeneratingPolicy"},"io.kyverno.policies.v1beta1.GeneratingPolicyList":{"description":"GeneratingPolicyList is a list of GeneratingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of generatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1beta1.GeneratingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"GeneratingPolicyList","version":"v1beta1"}],"title":"io.kyverno.policies.v1beta1.GeneratingPolicyList"},"io.kyverno.policies.v1beta1.ImageValidatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.","type":"object","required":["attestors","validations"],"properties":{"attestations":{"description":"Attestations provides a list of image metadata to verify","type":"array","items":{"description":"Attestation defines the identification details of the  metadata that has to be verified","type":"object","required":["name"],"properties":{"intoto":{"description":"InToto defines the details of attestation attached using intoto format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation contained within the statement.","type":"string"}}},"name":{"description":"Name is the name for this attestation. It is used to refer to the attestation in verification","type":"string"},"referrer":{"description":"Referrer defines the details of attestation attached using OCI 1.1 format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation attached to the image.","type":"string"}}}}}},"attestors":{"description":"Attestors provides a list of trusted authorities.","type":"array","items":{"description":"Attestor is an identity that confirms or verifies the authenticity of an image or an attestation","type":"object","required":["name"],"properties":{"cosign":{"description":"Cosign defines attestor configuration for Cosign based signatures","type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"certificate":{"description":"Certificate defines the configuration for local signature verification","type":"object","properties":{"cert":{"description":"Certificate is the to the public certificate for local signature verification.","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"certChain":{"description":"CertificateChain is the list of CA certificates in PEM format which will be needed\nwhen building the certificate chain for the signing certificate. Must start with the\nparent intermediate CA certificate of the signing certificate and end with the root certificate","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}},"ctlog":{"description":"CTLog sets the configuration to verify the authority against a Rekor instance.","type":"object","properties":{"ctLogPubKey":{"description":"CTLogPubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"insecureIgnoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"insecureIgnoreTlog":{"description":"InsecureIgnoreTlog skips transparency log verification.","type":"boolean"},"rekorPubKey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"},"url":{"description":"URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)","type":"string"}}},"key":{"description":"Key defines the type of key to validate the image.","type":"object","properties":{"data":{"description":"Data contains the inline public key","type":"string"},"expression":{"description":"Expression is a Expression expression that returns the public key.","type":"string"},"hashAlgorithm":{"description":"HashAlgorithm specifues signature algorithm for public keys. Supported values are\nsha224, sha256, sha384 and sha512. Defaults to sha256.","type":"string"},"kms":{"description":"KMS contains the KMS url of the public key\nSupported formats differ based on the KMS system used.","type":"string"}}},"keyless":{"description":"Keyless sets the configuration to verify the authority against a Fulcio instance.","type":"object","required":["identities"],"properties":{"identities":{"description":"Identities sets a list of identities.","type":"array","items":{"description":"Identity may contain the issuer and/or the subject found in the transparency\nlog.\nIssuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\napply a regexp for matching.","type":"object","properties":{"issuer":{"description":"Issuer defines the issuer for this identity.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp specifies a regular expression to match the issuer for this identity.","type":"string"},"subject":{"description":"Subject defines the subject for this identity.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp specifies a regular expression to match the subject for this identity.","type":"string"}}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"}}},"source":{"description":"Sources sets the configuration to specify the sources from where to consume the signature and attestations.","type":"object","properties":{"PullSecrets":{"description":"SignaturePullSecrets is an optional list of references to secrets in the\nsame namespace as the deploying resource for pulling any of the signatures\nused by this Source.","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"repository":{"description":"Repository defines the location from where to pull the signature / attestations.","type":"string"},"tagPrefix":{"description":"TagPrefix is an optional prefix that signature and attestations have.\nThis is the 'tag based discovery' and in the future once references are\nfully supported that should likely be the preferred way to handle these.","type":"string"}}},"tuf":{"description":"TUF defines the configuration to fetch sigstore root","type":"object","properties":{"mirror":{"description":"Mirror is the base URL of Sigstore TUF repository","type":"string"},"root":{"description":"Root defines the path or data of the trusted root","type":"object","properties":{"data":{"description":"Data is the base64 encoded TUF root","type":"string"},"path":{"description":"Path is the URL or File location of the TUF root","type":"string"}}}}}}},"name":{"description":"Name is the name for this attestor. It is used to refer to the attestor in verification","type":"string"},"notary":{"description":"Notary defines attestor configuration for Notary based signatures","type":"object","properties":{"certs":{"description":"Certs define the cert chain for Notary signature verification","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"tsaCerts":{"description":"TSACerts define the cert chain for verifying timestamps of notary signature","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}}}}},"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"credentials":{"description":"Credentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"CredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"FailurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.","type":"string","enum":["Ignore","Fail"]},"images":{"description":"ImageExtractors is a list of CEL expression to extract images from the resource","type":"array","items":{"type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression defines CEL expression to extract images from the resource.","type":"string"},"name":{"description":"Name is the name for this imageList. It is used to refer to the images in verification block as images.<name>","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"matchImageReferences":{"description":"MatchImageReferences is a list of Glob and CELExpressions to match images.\nAny image that matches one of the rules is considered for validation\nAny image that does not match a rule is skipped, even when they are passed as arguments to\nimage verification functions","type":"array","items":{"description":"MatchImageReference defines a Glob or a CEL expression for matching images","type":"object","properties":{"expression":{"description":"Expression defines CEL Expressions for matching images","type":"string"},"glob":{"description":"Glob defines a globbing pattern for matching images","type":"string"}}}},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validationConfigurations":{"description":"ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.","type":"object","properties":{"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"required":{"description":"Required validates that images are verified, i.e., have passed a signature or attestation check.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}},"validations":{"description":"Validations contain CEL expressions which is used to apply the image validation checks.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.","type":"object","required":["attestors","validations"],"properties":{"attestations":{"description":"Attestations provides a list of image metadata to verify","type":"array","items":{"description":"Attestation defines the identification details of the  metadata that has to be verified","type":"object","required":["name"],"properties":{"intoto":{"description":"InToto defines the details of attestation attached using intoto format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation contained within the statement.","type":"string"}}},"name":{"description":"Name is the name for this attestation. It is used to refer to the attestation in verification","type":"string"},"referrer":{"description":"Referrer defines the details of attestation attached using OCI 1.1 format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation attached to the image.","type":"string"}}}}}},"attestors":{"description":"Attestors provides a list of trusted authorities.","type":"array","items":{"description":"Attestor is an identity that confirms or verifies the authenticity of an image or an attestation","type":"object","required":["name"],"properties":{"cosign":{"description":"Cosign defines attestor configuration for Cosign based signatures","type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"certificate":{"description":"Certificate defines the configuration for local signature verification","type":"object","properties":{"cert":{"description":"Certificate is the to the public certificate for local signature verification.","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"certChain":{"description":"CertificateChain is the list of CA certificates in PEM format which will be needed\nwhen building the certificate chain for the signing certificate. Must start with the\nparent intermediate CA certificate of the signing certificate and end with the root certificate","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}},"ctlog":{"description":"CTLog sets the configuration to verify the authority against a Rekor instance.","type":"object","properties":{"ctLogPubKey":{"description":"CTLogPubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"insecureIgnoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"insecureIgnoreTlog":{"description":"InsecureIgnoreTlog skips transparency log verification.","type":"boolean"},"rekorPubKey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"},"url":{"description":"URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)","type":"string"}}},"key":{"description":"Key defines the type of key to validate the image.","type":"object","properties":{"data":{"description":"Data contains the inline public key","type":"string"},"expression":{"description":"Expression is a Expression expression that returns the public key.","type":"string"},"hashAlgorithm":{"description":"HashAlgorithm specifues signature algorithm for public keys. Supported values are\nsha224, sha256, sha384 and sha512. Defaults to sha256.","type":"string"},"kms":{"description":"KMS contains the KMS url of the public key\nSupported formats differ based on the KMS system used.","type":"string"}}},"keyless":{"description":"Keyless sets the configuration to verify the authority against a Fulcio instance.","type":"object","required":["identities"],"properties":{"identities":{"description":"Identities sets a list of identities.","type":"array","items":{"description":"Identity may contain the issuer and/or the subject found in the transparency\nlog.\nIssuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\napply a regexp for matching.","type":"object","properties":{"issuer":{"description":"Issuer defines the issuer for this identity.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp specifies a regular expression to match the issuer for this identity.","type":"string"},"subject":{"description":"Subject defines the subject for this identity.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp specifies a regular expression to match the subject for this identity.","type":"string"}}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"}}},"source":{"description":"Sources sets the configuration to specify the sources from where to consume the signature and attestations.","type":"object","properties":{"PullSecrets":{"description":"SignaturePullSecrets is an optional list of references to secrets in the\nsame namespace as the deploying resource for pulling any of the signatures\nused by this Source.","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"repository":{"description":"Repository defines the location from where to pull the signature / attestations.","type":"string"},"tagPrefix":{"description":"TagPrefix is an optional prefix that signature and attestations have.\nThis is the 'tag based discovery' and in the future once references are\nfully supported that should likely be the preferred way to handle these.","type":"string"}}},"tuf":{"description":"TUF defines the configuration to fetch sigstore root","type":"object","properties":{"mirror":{"description":"Mirror is the base URL of Sigstore TUF repository","type":"string"},"root":{"description":"Root defines the path or data of the trusted root","type":"object","properties":{"data":{"description":"Data is the base64 encoded TUF root","type":"string"},"path":{"description":"Path is the URL or File location of the TUF root","type":"string"}}}}}}},"name":{"description":"Name is the name for this attestor. It is used to refer to the attestor in verification","type":"string"},"notary":{"description":"Notary defines attestor configuration for Notary based signatures","type":"object","properties":{"certs":{"description":"Certs define the cert chain for Notary signature verification","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"tsaCerts":{"description":"TSACerts define the cert chain for verifying timestamps of notary signature","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}}}}},"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"credentials":{"description":"Credentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"CredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"FailurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.","type":"string","enum":["Ignore","Fail"]},"images":{"description":"ImageExtractors is a list of CEL expression to extract images from the resource","type":"array","items":{"type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression defines CEL expression to extract images from the resource.","type":"string"},"name":{"description":"Name is the name for this imageList. It is used to refer to the images in verification block as images.<name>","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"matchImageReferences":{"description":"MatchImageReferences is a list of Glob and CELExpressions to match images.\nAny image that matches one of the rules is considered for validation\nAny image that does not match a rule is skipped, even when they are passed as arguments to\nimage verification functions","type":"array","items":{"description":"MatchImageReference defines a Glob or a CEL expression for matching images","type":"object","properties":{"expression":{"description":"Expression defines CEL Expressions for matching images","type":"string"},"glob":{"description":"Glob defines a globbing pattern for matching images","type":"string"}}}},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validationConfigurations":{"description":"ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.","type":"object","properties":{"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"required":{"description":"Required validates that images are verified, i.e., have passed a signature or attestation check.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}},"validations":{"description":"Validations contain CEL expressions which is used to apply the image validation checks.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"ImageValidatingPolicy","version":"v1beta1"}],"title":"io.kyverno.policies.v1beta1.ImageValidatingPolicy"},"io.kyverno.policies.v1beta1.ImageValidatingPolicyList":{"description":"ImageValidatingPolicyList is a list of ImageValidatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of imagevalidatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1beta1.ImageValidatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"ImageValidatingPolicyList","version":"v1beta1"}],"title":"io.kyverno.policies.v1beta1.ImageValidatingPolicyList"},"io.kyverno.policies.v1beta1.MutatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"MutatingPolicySpec is the specification of the desired behavior of the MutatingPolicy.","type":"object","properties":{"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"mutatingAdmissionPolicy":{"description":"MutatingAdmissionPolicy specifies whether to generate a Kubernetes MutatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes MutatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for mutating policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"},"mutateExisting":{"description":"MutateExisting controls whether existing resources are mutated.","type":"object","properties":{"enabled":{"description":"Enabled enables mutation of existing resources. Default is false.\nWhen spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.","type":"boolean"}}}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to evaluate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"mutations":{"description":"mutations contain operations to perform on matching objects.\nmutations may not be empty; a minimum of one mutation is required.\nmutations are evaluated in order, and are reinvoked according to\nthe reinvocationPolicy.\nThe mutations of a policy are invoked for each binding of this policy\nand reinvocation of mutations occurs on a per binding basis.","type":"array","items":{"description":"Mutation specifies the CEL expression which is used to apply the Mutation.","type":"object","required":["patchType"],"properties":{"applyConfiguration":{"description":"applyConfiguration defines the desired configuration values of an object.\nThe configuration is applied to the admission object using\n[structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).\nA CEL expression is used to create apply configuration.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create an apply configuration.\nref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression\nreturns an apply configuration to set a single field:\n\n\tObject{\n\t  spec: Object.spec{\n\t    serviceAccountName: \"example\"\n\t  }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of\nvalues not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"jsonPatch":{"description":"jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.\nA CEL expression is used to create the JSON patch.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).\nref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t  [\n\t    JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t    JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t  ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/spec/selector\",\n\t      value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t    }\n\t  ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t      value: \"test\"\n\t    },\n\t  ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n  See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n  integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a\n  [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n  function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)\nas well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"patchType":{"description":"patchType indicates the patch strategy used.\nAllowed values are \"ApplyConfiguration\" and \"JSONPatch\".\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"reinvocationPolicy":{"description":"reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding\nas part of a single admission evaluation.\nAllowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of\norder with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only\nreinvoked when mutations change the object after this mutation is invoked.\nRequired.","type":"string"},"targetMatchConstraints":{"description":"TargetMatchConstraints specifies what target mutation resources this policy is designed to evaluate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"expression":{"type":"string"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"MutatingPolicySpec is the specification of the desired behavior of the MutatingPolicy.","type":"object","properties":{"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"mutatingAdmissionPolicy":{"description":"MutatingAdmissionPolicy specifies whether to generate a Kubernetes MutatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes MutatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for mutating policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"},"mutateExisting":{"description":"MutateExisting controls whether existing resources are mutated.","type":"object","properties":{"enabled":{"description":"Enabled enables mutation of existing resources. Default is false.\nWhen spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.","type":"boolean"}}}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to evaluate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"mutations":{"description":"mutations contain operations to perform on matching objects.\nmutations may not be empty; a minimum of one mutation is required.\nmutations are evaluated in order, and are reinvoked according to\nthe reinvocationPolicy.\nThe mutations of a policy are invoked for each binding of this policy\nand reinvocation of mutations occurs on a per binding basis.","type":"array","items":{"description":"Mutation specifies the CEL expression which is used to apply the Mutation.","type":"object","required":["patchType"],"properties":{"applyConfiguration":{"description":"applyConfiguration defines the desired configuration values of an object.\nThe configuration is applied to the admission object using\n[structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).\nA CEL expression is used to create apply configuration.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create an apply configuration.\nref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression\nreturns an apply configuration to set a single field:\n\n\tObject{\n\t  spec: Object.spec{\n\t    serviceAccountName: \"example\"\n\t  }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of\nvalues not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"jsonPatch":{"description":"jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.\nA CEL expression is used to create the JSON patch.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).\nref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t  [\n\t    JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t    JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t  ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/spec/selector\",\n\t      value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t    }\n\t  ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t      value: \"test\"\n\t    },\n\t  ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n  See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n  integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a\n  [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n  function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)\nas well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"patchType":{"description":"patchType indicates the patch strategy used.\nAllowed values are \"ApplyConfiguration\" and \"JSONPatch\".\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"reinvocationPolicy":{"description":"reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding\nas part of a single admission evaluation.\nAllowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of\norder with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only\nreinvoked when mutations change the object after this mutation is invoked.\nRequired.","type":"string"},"targetMatchConstraints":{"description":"TargetMatchConstraints specifies what target mutation resources this policy is designed to evaluate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"expression":{"type":"string"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"generated":{"description":"Generated indicates whether a MutatingAdmissionPolicy is generated from the policy or not","type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"MutatingPolicy","version":"v1beta1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1beta1.MutatingPolicy"},"io.kyverno.policies.v1beta1.MutatingPolicyList":{"description":"MutatingPolicyList is a list of MutatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of mutatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1beta1.MutatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"MutatingPolicyList","version":"v1beta1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1beta1.MutatingPolicyList"},"io.kyverno.policies.v1beta1.NamespacedDeletingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DeletingPolicySpec is the specification of the desired behavior of the DeletingPolicy.","type":"object","required":["schedule"],"properties":{"conditions":{"description":"Conditions is a list of conditions that must be met for a resource to be deleted.\nConditions filter resources that have already been matched by the match constraints,\nnamespaceSelector, and objectSelector. An empty list of conditions matches all resources.\nThere are a maximum of 64 conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY condition evaluates to FALSE, the policy is skipped.\n  2. If ALL conditions evaluate to TRUE, the policy is executed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"deletionPropagationPolicy":{"description":"DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).","type":"string","enum":["Foreground","Background","Orphan"]},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"schedule":{"description":"The schedule in Cron format\nRequired.","type":"string"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"lastExecutionTime":{"type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedDeletingPolicy","version":"v1beta1"}],"title":"io.kyverno.policies.v1beta1.NamespacedDeletingPolicy"},"io.kyverno.policies.v1beta1.NamespacedDeletingPolicyList":{"description":"NamespacedDeletingPolicyList is a list of NamespacedDeletingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of namespaceddeletingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1beta1.NamespacedDeletingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedDeletingPolicyList","version":"v1beta1"}],"title":"io.kyverno.policies.v1beta1.NamespacedDeletingPolicyList"},"io.kyverno.policies.v1beta1.NamespacedGeneratingPolicy":{"description":"NamespacedGeneratingPolicy is the namespaced CEL-based generating policy.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"GeneratingPolicySpec is the specification of the desired behavior of the GeneratingPolicy.","type":"object","required":["generate"],"properties":{"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"generateExisting":{"description":"GenerateExisting defines the configuration for generating resources for existing triggeres.","type":"object","properties":{"enabled":{"description":"Enabled controls whether to trigger the policy for existing resources\nIf is set to \"true\" the policy will be triggered and applied to existing matched resources.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete defines the configuration for orphaning downstream resources on policy delete.","type":"object","properties":{"enabled":{"description":"Enabled controls whether generated resources should be deleted when the policy that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"synchronize":{"description":"Synchronization defines the configuration for the synchronization of generated resources.","type":"object","properties":{"enabled":{"description":"Enabled controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"generate":{"description":"Generation defines a set of CEL expressions that will be evaluated to generate resources.\nRequired.","type":"array","minItems":1,"items":{"description":"Generation defines the configuration for the generation of resources.","type":"object","properties":{"expression":{"description":"Expression is a CEL expression that takes a list of resources to be generated.","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources will trigger this policy.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedGeneratingPolicy","version":"v1beta1"}],"title":"io.kyverno.policies.v1beta1.NamespacedGeneratingPolicy"},"io.kyverno.policies.v1beta1.NamespacedGeneratingPolicyList":{"description":"NamespacedGeneratingPolicyList is a list of NamespacedGeneratingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of namespacedgeneratingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1beta1.NamespacedGeneratingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedGeneratingPolicyList","version":"v1beta1"}],"title":"io.kyverno.policies.v1beta1.NamespacedGeneratingPolicyList"},"io.kyverno.policies.v1beta1.NamespacedImageValidatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.","type":"object","required":["attestors","validations"],"properties":{"attestations":{"description":"Attestations provides a list of image metadata to verify","type":"array","items":{"description":"Attestation defines the identification details of the  metadata that has to be verified","type":"object","required":["name"],"properties":{"intoto":{"description":"InToto defines the details of attestation attached using intoto format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation contained within the statement.","type":"string"}}},"name":{"description":"Name is the name for this attestation. It is used to refer to the attestation in verification","type":"string"},"referrer":{"description":"Referrer defines the details of attestation attached using OCI 1.1 format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation attached to the image.","type":"string"}}}}}},"attestors":{"description":"Attestors provides a list of trusted authorities.","type":"array","items":{"description":"Attestor is an identity that confirms or verifies the authenticity of an image or an attestation","type":"object","required":["name"],"properties":{"cosign":{"description":"Cosign defines attestor configuration for Cosign based signatures","type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"certificate":{"description":"Certificate defines the configuration for local signature verification","type":"object","properties":{"cert":{"description":"Certificate is the to the public certificate for local signature verification.","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"certChain":{"description":"CertificateChain is the list of CA certificates in PEM format which will be needed\nwhen building the certificate chain for the signing certificate. Must start with the\nparent intermediate CA certificate of the signing certificate and end with the root certificate","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}},"ctlog":{"description":"CTLog sets the configuration to verify the authority against a Rekor instance.","type":"object","properties":{"ctLogPubKey":{"description":"CTLogPubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"insecureIgnoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"insecureIgnoreTlog":{"description":"InsecureIgnoreTlog skips transparency log verification.","type":"boolean"},"rekorPubKey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"},"url":{"description":"URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)","type":"string"}}},"key":{"description":"Key defines the type of key to validate the image.","type":"object","properties":{"data":{"description":"Data contains the inline public key","type":"string"},"expression":{"description":"Expression is a Expression expression that returns the public key.","type":"string"},"hashAlgorithm":{"description":"HashAlgorithm specifues signature algorithm for public keys. Supported values are\nsha224, sha256, sha384 and sha512. Defaults to sha256.","type":"string"},"kms":{"description":"KMS contains the KMS url of the public key\nSupported formats differ based on the KMS system used.","type":"string"}}},"keyless":{"description":"Keyless sets the configuration to verify the authority against a Fulcio instance.","type":"object","required":["identities"],"properties":{"identities":{"description":"Identities sets a list of identities.","type":"array","items":{"description":"Identity may contain the issuer and/or the subject found in the transparency\nlog.\nIssuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\napply a regexp for matching.","type":"object","properties":{"issuer":{"description":"Issuer defines the issuer for this identity.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp specifies a regular expression to match the issuer for this identity.","type":"string"},"subject":{"description":"Subject defines the subject for this identity.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp specifies a regular expression to match the subject for this identity.","type":"string"}}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"}}},"source":{"description":"Sources sets the configuration to specify the sources from where to consume the signature and attestations.","type":"object","properties":{"PullSecrets":{"description":"SignaturePullSecrets is an optional list of references to secrets in the\nsame namespace as the deploying resource for pulling any of the signatures\nused by this Source.","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"repository":{"description":"Repository defines the location from where to pull the signature / attestations.","type":"string"},"tagPrefix":{"description":"TagPrefix is an optional prefix that signature and attestations have.\nThis is the 'tag based discovery' and in the future once references are\nfully supported that should likely be the preferred way to handle these.","type":"string"}}},"tuf":{"description":"TUF defines the configuration to fetch sigstore root","type":"object","properties":{"mirror":{"description":"Mirror is the base URL of Sigstore TUF repository","type":"string"},"root":{"description":"Root defines the path or data of the trusted root","type":"object","properties":{"data":{"description":"Data is the base64 encoded TUF root","type":"string"},"path":{"description":"Path is the URL or File location of the TUF root","type":"string"}}}}}}},"name":{"description":"Name is the name for this attestor. It is used to refer to the attestor in verification","type":"string"},"notary":{"description":"Notary defines attestor configuration for Notary based signatures","type":"object","properties":{"certs":{"description":"Certs define the cert chain for Notary signature verification","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"tsaCerts":{"description":"TSACerts define the cert chain for verifying timestamps of notary signature","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}}}}},"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"credentials":{"description":"Credentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"CredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"FailurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.","type":"string","enum":["Ignore","Fail"]},"images":{"description":"ImageExtractors is a list of CEL expression to extract images from the resource","type":"array","items":{"type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression defines CEL expression to extract images from the resource.","type":"string"},"name":{"description":"Name is the name for this imageList. It is used to refer to the images in verification block as images.<name>","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"matchImageReferences":{"description":"MatchImageReferences is a list of Glob and CELExpressions to match images.\nAny image that matches one of the rules is considered for validation\nAny image that does not match a rule is skipped, even when they are passed as arguments to\nimage verification functions","type":"array","items":{"description":"MatchImageReference defines a Glob or a CEL expression for matching images","type":"object","properties":{"expression":{"description":"Expression defines CEL Expressions for matching images","type":"string"},"glob":{"description":"Glob defines a globbing pattern for matching images","type":"string"}}}},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validationConfigurations":{"description":"ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.","type":"object","properties":{"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"required":{"description":"Required validates that images are verified, i.e., have passed a signature or attestation check.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}},"validations":{"description":"Validations contain CEL expressions which is used to apply the image validation checks.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.","type":"object","required":["attestors","validations"],"properties":{"attestations":{"description":"Attestations provides a list of image metadata to verify","type":"array","items":{"description":"Attestation defines the identification details of the  metadata that has to be verified","type":"object","required":["name"],"properties":{"intoto":{"description":"InToto defines the details of attestation attached using intoto format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation contained within the statement.","type":"string"}}},"name":{"description":"Name is the name for this attestation. It is used to refer to the attestation in verification","type":"string"},"referrer":{"description":"Referrer defines the details of attestation attached using OCI 1.1 format","type":"object","required":["type"],"properties":{"type":{"description":"Type defines the type of attestation attached to the image.","type":"string"}}}}}},"attestors":{"description":"Attestors provides a list of trusted authorities.","type":"array","items":{"description":"Attestor is an identity that confirms or verifies the authenticity of an image or an attestation","type":"object","required":["name"],"properties":{"cosign":{"description":"Cosign defines attestor configuration for Cosign based signatures","type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"certificate":{"description":"Certificate defines the configuration for local signature verification","type":"object","properties":{"cert":{"description":"Certificate is the to the public certificate for local signature verification.","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"certChain":{"description":"CertificateChain is the list of CA certificates in PEM format which will be needed\nwhen building the certificate chain for the signing certificate. Must start with the\nparent intermediate CA certificate of the signing certificate and end with the root certificate","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}},"ctlog":{"description":"CTLog sets the configuration to verify the authority against a Rekor instance.","type":"object","properties":{"ctLogPubKey":{"description":"CTLogPubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"insecureIgnoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"insecureIgnoreTlog":{"description":"InsecureIgnoreTlog skips transparency log verification.","type":"boolean"},"rekorPubKey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"},"url":{"description":"URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)","type":"string"}}},"key":{"description":"Key defines the type of key to validate the image.","type":"object","properties":{"data":{"description":"Data contains the inline public key","type":"string"},"expression":{"description":"Expression is a Expression expression that returns the public key.","type":"string"},"hashAlgorithm":{"description":"HashAlgorithm specifues signature algorithm for public keys. Supported values are\nsha224, sha256, sha384 and sha512. Defaults to sha256.","type":"string"},"kms":{"description":"KMS contains the KMS url of the public key\nSupported formats differ based on the KMS system used.","type":"string"}}},"keyless":{"description":"Keyless sets the configuration to verify the authority against a Fulcio instance.","type":"object","required":["identities"],"properties":{"identities":{"description":"Identities sets a list of identities.","type":"array","items":{"description":"Identity may contain the issuer and/or the subject found in the transparency\nlog.\nIssuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\napply a regexp for matching.","type":"object","properties":{"issuer":{"description":"Issuer defines the issuer for this identity.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp specifies a regular expression to match the issuer for this identity.","type":"string"},"subject":{"description":"Subject defines the subject for this identity.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp specifies a regular expression to match the subject for this identity.","type":"string"}}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"}}},"source":{"description":"Sources sets the configuration to specify the sources from where to consume the signature and attestations.","type":"object","properties":{"PullSecrets":{"description":"SignaturePullSecrets is an optional list of references to secrets in the\nsame namespace as the deploying resource for pulling any of the signatures\nused by this Source.","type":"array","items":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"}},"repository":{"description":"Repository defines the location from where to pull the signature / attestations.","type":"string"},"tagPrefix":{"description":"TagPrefix is an optional prefix that signature and attestations have.\nThis is the 'tag based discovery' and in the future once references are\nfully supported that should likely be the preferred way to handle these.","type":"string"}}},"tuf":{"description":"TUF defines the configuration to fetch sigstore root","type":"object","properties":{"mirror":{"description":"Mirror is the base URL of Sigstore TUF repository","type":"string"},"root":{"description":"Root defines the path or data of the trusted root","type":"object","properties":{"data":{"description":"Data is the base64 encoded TUF root","type":"string"},"path":{"description":"Path is the URL or File location of the TUF root","type":"string"}}}}}}},"name":{"description":"Name is the name for this attestor. It is used to refer to the attestor in verification","type":"string"},"notary":{"description":"Notary defines attestor configuration for Notary based signatures","type":"object","properties":{"certs":{"description":"Certs define the cert chain for Notary signature verification","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}},"tsaCerts":{"description":"TSACerts define the cert chain for verifying timestamps of notary signature","type":"object","properties":{"expression":{"description":"Expression defines the a CEL expression input.","type":"string"},"value":{"description":"Value defines the raw string input.","type":"string"}}}}}}}},"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"credentials":{"description":"Credentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"CredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"FailurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.","type":"string","enum":["Ignore","Fail"]},"images":{"description":"ImageExtractors is a list of CEL expression to extract images from the resource","type":"array","items":{"type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression defines CEL expression to extract images from the resource.","type":"string"},"name":{"description":"Name is the name for this imageList. It is used to refer to the images in verification block as images.<name>","type":"string"}}}},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"matchImageReferences":{"description":"MatchImageReferences is a list of Glob and CELExpressions to match images.\nAny image that matches one of the rules is considered for validation\nAny image that does not match a rule is skipped, even when they are passed as arguments to\nimage verification functions","type":"array","items":{"description":"MatchImageReference defines a Glob or a CEL expression for matching images","type":"object","properties":{"expression":{"description":"Expression defines CEL Expressions for matching images","type":"string"},"glob":{"description":"Glob defines a globbing pattern for matching images","type":"string"}}}},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validationConfigurations":{"description":"ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.","type":"object","properties":{"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"required":{"description":"Required validates that images are verified, i.e., have passed a signature or attestation check.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}},"validations":{"description":"Validations contain CEL expressions which is used to apply the image validation checks.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedImageValidatingPolicy","version":"v1beta1"}],"title":"io.kyverno.policies.v1beta1.NamespacedImageValidatingPolicy"},"io.kyverno.policies.v1beta1.NamespacedImageValidatingPolicyList":{"description":"NamespacedImageValidatingPolicyList is a list of NamespacedImageValidatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of namespacedimagevalidatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1beta1.NamespacedImageValidatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedImageValidatingPolicyList","version":"v1beta1"}],"title":"io.kyverno.policies.v1beta1.NamespacedImageValidatingPolicyList"},"io.kyverno.policies.v1beta1.NamespacedMutatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"MutatingPolicySpec is the specification of the desired behavior of the MutatingPolicy.","type":"object","properties":{"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"mutatingAdmissionPolicy":{"description":"MutatingAdmissionPolicy specifies whether to generate a Kubernetes MutatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes MutatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for mutating policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"},"mutateExisting":{"description":"MutateExisting controls whether existing resources are mutated.","type":"object","properties":{"enabled":{"description":"Enabled enables mutation of existing resources. Default is false.\nWhen spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.","type":"boolean"}}}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to evaluate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"mutations":{"description":"mutations contain operations to perform on matching objects.\nmutations may not be empty; a minimum of one mutation is required.\nmutations are evaluated in order, and are reinvoked according to\nthe reinvocationPolicy.\nThe mutations of a policy are invoked for each binding of this policy\nand reinvocation of mutations occurs on a per binding basis.","type":"array","items":{"description":"Mutation specifies the CEL expression which is used to apply the Mutation.","type":"object","required":["patchType"],"properties":{"applyConfiguration":{"description":"applyConfiguration defines the desired configuration values of an object.\nThe configuration is applied to the admission object using\n[structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).\nA CEL expression is used to create apply configuration.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create an apply configuration.\nref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression\nreturns an apply configuration to set a single field:\n\n\tObject{\n\t  spec: Object.spec{\n\t    serviceAccountName: \"example\"\n\t  }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of\nvalues not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"jsonPatch":{"description":"jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.\nA CEL expression is used to create the JSON patch.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).\nref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t  [\n\t    JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t    JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t  ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/spec/selector\",\n\t      value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t    }\n\t  ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t      value: \"test\"\n\t    },\n\t  ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n  See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n  integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a\n  [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n  function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)\nas well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"patchType":{"description":"patchType indicates the patch strategy used.\nAllowed values are \"ApplyConfiguration\" and \"JSONPatch\".\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"reinvocationPolicy":{"description":"reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding\nas part of a single admission evaluation.\nAllowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of\norder with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only\nreinvoked when mutations change the object after this mutation is invoked.\nRequired.","type":"string"},"targetMatchConstraints":{"description":"TargetMatchConstraints specifies what target mutation resources this policy is designed to evaluate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"expression":{"type":"string"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"MutatingPolicySpec is the specification of the desired behavior of the MutatingPolicy.","type":"object","properties":{"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"mutatingAdmissionPolicy":{"description":"MutatingAdmissionPolicy specifies whether to generate a Kubernetes MutatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes MutatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for mutating policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"},"mutateExisting":{"description":"MutateExisting controls whether existing resources are mutated.","type":"object","properties":{"enabled":{"description":"Enabled enables mutation of existing resources. Default is false.\nWhen spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.","type":"boolean"}}}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to evaluate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"mutations":{"description":"mutations contain operations to perform on matching objects.\nmutations may not be empty; a minimum of one mutation is required.\nmutations are evaluated in order, and are reinvoked according to\nthe reinvocationPolicy.\nThe mutations of a policy are invoked for each binding of this policy\nand reinvocation of mutations occurs on a per binding basis.","type":"array","items":{"description":"Mutation specifies the CEL expression which is used to apply the Mutation.","type":"object","required":["patchType"],"properties":{"applyConfiguration":{"description":"applyConfiguration defines the desired configuration values of an object.\nThe configuration is applied to the admission object using\n[structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).\nA CEL expression is used to create apply configuration.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create an apply configuration.\nref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression\nreturns an apply configuration to set a single field:\n\n\tObject{\n\t  spec: Object.spec{\n\t    serviceAccountName: \"example\"\n\t  }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of\nvalues not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"jsonPatch":{"description":"jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.\nA CEL expression is used to create the JSON patch.","type":"object","properties":{"expression":{"description":"expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).\nref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t  [\n\t    JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t    JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t  ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/spec/selector\",\n\t      value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t    }\n\t  ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t  [\n\t    JSONPatch{\n\t      op: \"add\",\n\t      path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t      value: \"test\"\n\t    },\n\t  ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n  See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n  integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a\n  [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n  function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object.\n- 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')\n- 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)\nas well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nRequired.","type":"string"}}},"patchType":{"description":"patchType indicates the patch strategy used.\nAllowed values are \"ApplyConfiguration\" and \"JSONPatch\".\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"reinvocationPolicy":{"description":"reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding\nas part of a single admission evaluation.\nAllowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of\norder with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only\nreinvoked when mutations change the object after this mutation is invoked.\nRequired.","type":"string"},"targetMatchConstraints":{"description":"TargetMatchConstraints specifies what target mutation resources this policy is designed to evaluate.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"expression":{"type":"string"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"generated":{"description":"Generated indicates whether a MutatingAdmissionPolicy is generated from the policy or not","type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedMutatingPolicy","version":"v1beta1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1beta1.NamespacedMutatingPolicy"},"io.kyverno.policies.v1beta1.NamespacedMutatingPolicyList":{"description":"NamespacedMutatingPolicyList is a list of NamespacedMutatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of namespacedmutatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1beta1.NamespacedMutatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedMutatingPolicyList","version":"v1beta1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1beta1.NamespacedMutatingPolicyList"},"io.kyverno.policies.v1beta1.NamespacedValidatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.","type":"object","properties":{"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}},"validatingAdmissionPolicy":{"description":"ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validations":{"description":"Validations contain CEL expressions which is used to apply the validation.\nValidations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is\nrequired.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.","type":"object","properties":{"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}},"validatingAdmissionPolicy":{"description":"ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validations":{"description":"Validations contain CEL expressions which is used to apply the validation.\nValidations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is\nrequired.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"generated":{"description":"Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not","type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedValidatingPolicy","version":"v1beta1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1beta1.NamespacedValidatingPolicy"},"io.kyverno.policies.v1beta1.NamespacedValidatingPolicyList":{"description":"NamespacedValidatingPolicyList is a list of NamespacedValidatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of namespacedvalidatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1beta1.NamespacedValidatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"NamespacedValidatingPolicyList","version":"v1beta1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1beta1.NamespacedValidatingPolicyList"},"io.kyverno.policies.v1beta1.PolicyException":{"description":"PolicyException declares resources to be excluded from specified policies.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy exception behaviors.","type":"object","required":["policyRefs"],"properties":{"allowedValues":{"description":"AllowedValues specifies values that can be used in CEL expressions to bypass policy checks.\nThese values can be referenced in CEL expressions via `exceptions.allowedValues`.","type":"array","items":{"type":"string"}},"images":{"description":"Images specifies container images to be excluded from policy evaluation.\nThese excluded images can be referenced in CEL expressions via `exceptions.allowedImages`.","type":"array","items":{"type":"string"}},"matchConditions":{"description":"MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"policyRefs":{"description":"PolicyRefs identifies the policies to which the exception is applied.","type":"array","items":{"type":"object","required":["kind","name"],"properties":{"kind":{"description":"Kind is the kind of the policy","type":"string"},"name":{"description":"Name is the name of the policy","type":"string"}}}},"reportResult":{"description":"ReportResult indicates whether the policy exception should be reported in the policy report\nas a skip result or pass result. Defaults to \"skip\".","type":"string","enum":["skip","pass"]}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"PolicyException","version":"v1beta1"}],"title":"io.kyverno.policies.v1beta1.PolicyException"},"io.kyverno.policies.v1beta1.PolicyExceptionList":{"description":"PolicyExceptionList is a list of PolicyException","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of policyexceptions. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1beta1.PolicyException"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"PolicyExceptionList","version":"v1beta1"}],"title":"io.kyverno.policies.v1beta1.PolicyExceptionList"},"io.kyverno.policies.v1beta1.ValidatingPolicy":{"type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.","type":"object","properties":{"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}},"validatingAdmissionPolicy":{"description":"ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validations":{"description":"Validations contain CEL expressions which is used to apply the validation.\nValidations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is\nrequired.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"type":"object","properties":{"configs":{"type":"object","additionalProperties":{"type":"object","required":["spec","targets"],"properties":{"spec":{"description":"ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.","type":"object","properties":{"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"autogen":{"description":"AutogenConfiguration defines the configuration for the generation controller.","type":"object","properties":{"podControllers":{"description":"PodControllers specifies whether to generate a pod controllers rules.","type":"object","properties":{"controllers":{"type":"array","items":{"type":"string"}}}},"validatingAdmissionPolicy":{"description":"ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.","type":"object","properties":{"enabled":{"description":"Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}}}},"evaluation":{"description":"EvaluationConfiguration defines the configuration for the policy evaluation.","type":"object","properties":{"admission":{"description":"Admission controls policy evaluation during admission.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"}}},"background":{"description":"Background  controls policy evaluation during background scan.","type":"object","properties":{"enabled":{"description":"Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"}}},"mode":{"description":"Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".","type":"string"}}},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, the validationActions field define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate.\nThe AdmissionPolicy cares about a request if it matches _all_ Constraints.\nRequired.","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as\nfollows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.","type":"array","items":{"description":"OperationType specifies an operation for a request.","type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"validationActions":{"description":"ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"description":"ValidationAction specifies a policy enforcement action.","type":"string","enum":["Deny","Audit","Warn"]},"x-kubernetes-list-type":"set"},"validations":{"description":"Validations contain CEL expressions which is used to apply the validation.\nValidations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is\nrequired.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy\nexcept MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after.\nThus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"webhookConfiguration":{"description":"WebhookConfiguration defines the configuration for the webhook.","type":"object","properties":{"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}}}},"targets":{"type":"array","items":{"type":"object","required":["kind","resource","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}}}}}}}},"conditionStatus":{"description":"ConditionStatus is the shared status across all policy types","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"message":{"description":"Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.","type":"string"},"ready":{"description":"The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.","type":"boolean"}}},"generated":{"description":"Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not","type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"ValidatingPolicy","version":"v1beta1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1beta1.ValidatingPolicy"},"io.kyverno.policies.v1beta1.ValidatingPolicyList":{"description":"ValidatingPolicyList is a list of ValidatingPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of validatingpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.policies.v1beta1.ValidatingPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policies.kyverno.io","kind":"ValidatingPolicyList","version":"v1beta1"}],"x-kubernetes-selectable-fields":[{"fieldPath":"spec.evaluation.mode"}],"title":"io.kyverno.policies.v1beta1.ValidatingPolicyList"},"io.kyverno.reports.v1.ClusterEphemeralReport":{"description":"ClusterEphemeralReport is the Schema for the ClusterEphemeralReports API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["owner"],"properties":{"owner":{"description":"Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node)","type":"object","required":["apiVersion","kind","name","uid"],"properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"blockOwnerDeletion":{"description":"If true, AND if the owner has the \"foregroundDeletion\" finalizer, then\nthe owner cannot be deleted from the key-value store until this\nreference is removed.\nSee https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion\nfor how the garbage collector interacts with this field and enforces the foreground deletion.\nDefaults to false.\nTo set this field, a user needs \"delete\" permission of the owner,\notherwise 422 (Unprocessable Entity) will be returned.","type":"boolean"},"controller":{"description":"If true, this reference points to the managing controller.","type":"boolean"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}},"x-kubernetes-map-type":"atomic"},"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"ReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"ResourceSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a ResourceSelector can be specified. If neither are provided, the\nresult is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report\nIf the Source is specified at this level, it will override the Source\nfield set at the Report level","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}}}},"x-kubernetes-group-version-kind":[{"group":"reports.kyverno.io","kind":"ClusterEphemeralReport","version":"v1"}],"title":"io.kyverno.reports.v1.ClusterEphemeralReport"},"io.kyverno.reports.v1.ClusterEphemeralReportList":{"description":"ClusterEphemeralReportList is a list of ClusterEphemeralReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusterephemeralreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.reports.v1.ClusterEphemeralReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"reports.kyverno.io","kind":"ClusterEphemeralReportList","version":"v1"}],"title":"io.kyverno.reports.v1.ClusterEphemeralReportList"},"io.kyverno.reports.v1.EphemeralReport":{"description":"EphemeralReport is the Schema for the EphemeralReports API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["owner"],"properties":{"owner":{"description":"Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node)","type":"object","required":["apiVersion","kind","name","uid"],"properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"blockOwnerDeletion":{"description":"If true, AND if the owner has the \"foregroundDeletion\" finalizer, then\nthe owner cannot be deleted from the key-value store until this\nreference is removed.\nSee https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion\nfor how the garbage collector interacts with this field and enforces the foreground deletion.\nDefaults to false.\nTo set this field, a user needs \"delete\" permission of the owner,\notherwise 422 (Unprocessable Entity) will be returned.","type":"boolean"},"controller":{"description":"If true, this reference points to the managing controller.","type":"boolean"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}},"x-kubernetes-map-type":"atomic"},"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"ReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"ResourceSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a ResourceSelector can be specified. If neither are provided, the\nresult is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report\nIf the Source is specified at this level, it will override the Source\nfield set at the Report level","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}}}},"x-kubernetes-group-version-kind":[{"group":"reports.kyverno.io","kind":"EphemeralReport","version":"v1"}],"title":"io.kyverno.reports.v1.EphemeralReport"},"io.kyverno.reports.v1.EphemeralReportList":{"description":"EphemeralReportList is a list of EphemeralReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ephemeralreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.reports.v1.EphemeralReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"reports.kyverno.io","kind":"EphemeralReportList","version":"v1"}],"title":"io.kyverno.reports.v1.EphemeralReportList"},"io.kyverno.v1.ClusterPolicy":{"description":"ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy behaviors.","type":"object","properties":{"admission":{"description":"Admission controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"},"applyRules":{"description":"ApplyRules controls how rules in a policy are applied. Rule are processed in\nthe order of declaration. When set to `One` processing stops after a rule has\nbeen applied i.e. the rule matches and results in a pass, fail, or error. When\nset to `All` all rules in the policy are processed. The default is `All`.","type":"string","enum":["All","One"]},"background":{"description":"Background controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"},"emitWarning":{"description":"EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.\nEnabling this option will extend admission request processing times. The default value is \"false\".","type":"boolean"},"failurePolicy":{"description":"Deprecated, use failurePolicy under the webhookConfiguration instead.","type":"string","enum":["Ignore","Fail"]},"generateExisting":{"description":"Deprecated, use generateExisting under the generate rule instead","type":"boolean"},"generateExistingOnPolicyUpdate":{"description":"Deprecated, use generateExisting instead","type":"boolean"},"mutateExistingOnPolicyUpdate":{"description":"Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead","type":"boolean"},"rules":{"description":"Rules is a list of Rule instances. A Policy contains multiple rules and\neach rule can validate, mutate, or generate resources.","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["match","name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"foreach":{"description":"ForEach applies generate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}},"generateExisting":{"description":"GenerateExisting controls whether to trigger the rule in existing resources\nIf is set to \"true\" the rule will be triggered and applied to existing matched resources.","type":"boolean"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.<name>' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"mutateExistingOnPolicyUpdate":{"description":"MutateExistingOnPolicyUpdate controls if the mutateExisting rule will be applied on policy events.","type":"boolean"},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"selector":{"description":"Selector allows you to select target resources with their labels.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"reportProperties":{"description":"ReportProperties are the additional properties from the rule that will be added to the policy report result","type":"object","additionalProperties":{"type":"string"}},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"allowExistingViolations":{"description":"AllowExistingViolations allows prexisting violating resources to continue violating a policy.","type":"boolean"},"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"assert":{"description":"Assert defines a kyverno-json assertion tree.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"generate":{"description":"Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"name is the name of the resource being referenced.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.\n\nA single parameter used for all admission requests can be configured\nby setting the `name` field, leaving `selector` blank, and setting namespace\nif `paramKind` is namespace-scoped.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"failureAction":{"description":"FailureAction defines if a validation policy rule violation should block\nthe admission review request (Enforce), or allow (Audit) the admission review request\nand report an error in a policy report. Optional.\nAllowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"failureActionOverrides":{"description":"FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction\nnamespace-wise. It overrides FailureAction for the specified namespaces.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, v1.30, v1.31, v1.32, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","v1.30","v1.31","v1.32","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"additionalExtensions":{"description":"Deprecated.","type":"object","additionalProperties":{"type":"string"}},"annotations":{"description":"Deprecated. Use annotations per Attestor instead.","type":"object","additionalProperties":{"type":"string"}},"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"name":{"description":"Name is the variable name.","type":"string"},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"cosignOCI11":{"description":"CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.\nDefaults to false.","type":"boolean"},"failureAction":{"description":"Allowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"image":{"description":"Deprecated. Use ImageReferences instead.","type":"string"},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"issuer":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"key":{"description":"Deprecated. Use StaticKeyAttestor instead.","type":"string"},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"roots":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"subject":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","SigstoreBundle","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule.","type":"boolean"},"validate":{"description":"Validation checks conditions across multiple image\nverification attestations or context entries","type":"object","properties":{"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"}}},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}},"schemaValidation":{"description":"Deprecated.","type":"boolean"},"useServerSideApply":{"description":"UseServerSideApply controls whether to use server-side apply for generate rules\nIf is set to \"true\" create & update for generate rules will use apply instead of create/update.\nDefaults to \"false\" if not specified.","type":"boolean"},"validationFailureAction":{"description":"Deprecated, use validationFailureAction under the validate rule instead.","type":"string","enum":["audit","enforce","Audit","Enforce"]},"validationFailureActionOverrides":{"description":"Deprecated, use validationFailureActionOverrides under the validate rule instead.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"webhookConfiguration":{"description":"WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.","type":"object","properties":{"failurePolicy":{"description":"FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.\nRules within the same policy share the same failure behavior.\nThis field should not be accessed directly, instead `GetFailurePolicy()` should be used.\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchCondition configures admission webhook matchConditions.\nRequires Kubernetes 1.27 or later.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}},"webhookTimeoutSeconds":{"description":"Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.","type":"integer","format":"int32"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"description":"AutogenStatus contains autogen status information.","type":"object","properties":{"rules":{"description":"Rules is a list of Rule instances. It contains auto generated rules added for pod controllers","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["match","name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"foreach":{"description":"ForEach applies generate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}},"generateExisting":{"description":"GenerateExisting controls whether to trigger the rule in existing resources\nIf is set to \"true\" the rule will be triggered and applied to existing matched resources.","type":"boolean"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.<name>' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"mutateExistingOnPolicyUpdate":{"description":"MutateExistingOnPolicyUpdate controls if the mutateExisting rule will be applied on policy events.","type":"boolean"},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"selector":{"description":"Selector allows you to select target resources with their labels.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"reportProperties":{"description":"ReportProperties are the additional properties from the rule that will be added to the policy report result","type":"object","additionalProperties":{"type":"string"}},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"allowExistingViolations":{"description":"AllowExistingViolations allows prexisting violating resources to continue violating a policy.","type":"boolean"},"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"assert":{"description":"Assert defines a kyverno-json assertion tree.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"generate":{"description":"Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"name is the name of the resource being referenced.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.\n\nA single parameter used for all admission requests can be configured\nby setting the `name` field, leaving `selector` blank, and setting namespace\nif `paramKind` is namespace-scoped.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"failureAction":{"description":"FailureAction defines if a validation policy rule violation should block\nthe admission review request (Enforce), or allow (Audit) the admission review request\nand report an error in a policy report. Optional.\nAllowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"failureActionOverrides":{"description":"FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction\nnamespace-wise. It overrides FailureAction for the specified namespaces.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, v1.30, v1.31, v1.32, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","v1.30","v1.31","v1.32","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"additionalExtensions":{"description":"Deprecated.","type":"object","additionalProperties":{"type":"string"}},"annotations":{"description":"Deprecated. Use annotations per Attestor instead.","type":"object","additionalProperties":{"type":"string"}},"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"name":{"description":"Name is the variable name.","type":"string"},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"cosignOCI11":{"description":"CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.\nDefaults to false.","type":"boolean"},"failureAction":{"description":"Allowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"image":{"description":"Deprecated. Use ImageReferences instead.","type":"string"},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"issuer":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"key":{"description":"Deprecated. Use StaticKeyAttestor instead.","type":"string"},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"roots":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"subject":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","SigstoreBundle","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule.","type":"boolean"},"validate":{"description":"Validation checks conditions across multiple image\nverification attestations or context entries","type":"object","properties":{"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"}}},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}}}},"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"ready":{"description":"Deprecated in favor of Conditions","type":"boolean"},"rulecount":{"description":"RuleCountStatus contains four variables which describes counts for\nvalidate, generate, mutate and verify images rules","type":"object","required":["generate","mutate","validate","verifyimages"],"properties":{"generate":{"description":"Count for generate rules in policy","type":"integer"},"mutate":{"description":"Count for mutate rules in policy","type":"integer"},"validate":{"description":"Count for validate rules in policy","type":"integer"},"verifyimages":{"description":"Count for verify image rules in policy","type":"integer"}}},"validatingadmissionpolicy":{"description":"ValidatingAdmissionPolicy contains status information","type":"object","required":["generated","message"],"properties":{"generated":{"description":"Generated indicates whether a validating admission policy is generated from the policy or not","type":"boolean"},"message":{"description":"Message is a human readable message indicating details about the generation of validating admission policy\nIt is an empty string when validating admission policy is successfully generated.","type":"string"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterPolicy","version":"v1"}],"title":"io.kyverno.v1.ClusterPolicy"},"io.kyverno.v1.ClusterPolicyList":{"description":"ClusterPolicyList is a list of ClusterPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusterpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterPolicyList","version":"v1"}],"title":"io.kyverno.v1.ClusterPolicyList"},"io.kyverno.v1.Policy":{"description":"Policy declares validation, mutation, and generation behaviors for matching resources.\nSee: https://kyverno.io/docs/writing-policies/ for more information.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines policy behaviors and contains one or more rules.","type":"object","properties":{"admission":{"description":"Admission controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"},"applyRules":{"description":"ApplyRules controls how rules in a policy are applied. Rule are processed in\nthe order of declaration. When set to `One` processing stops after a rule has\nbeen applied i.e. the rule matches and results in a pass, fail, or error. When\nset to `All` all rules in the policy are processed. The default is `All`.","type":"string","enum":["All","One"]},"background":{"description":"Background controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"},"emitWarning":{"description":"EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.\nEnabling this option will extend admission request processing times. The default value is \"false\".","type":"boolean"},"failurePolicy":{"description":"Deprecated, use failurePolicy under the webhookConfiguration instead.","type":"string","enum":["Ignore","Fail"]},"generateExisting":{"description":"Deprecated, use generateExisting under the generate rule instead","type":"boolean"},"generateExistingOnPolicyUpdate":{"description":"Deprecated, use generateExisting instead","type":"boolean"},"mutateExistingOnPolicyUpdate":{"description":"Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead","type":"boolean"},"rules":{"description":"Rules is a list of Rule instances. A Policy contains multiple rules and\neach rule can validate, mutate, or generate resources.","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["match","name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"foreach":{"description":"ForEach applies generate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}},"generateExisting":{"description":"GenerateExisting controls whether to trigger the rule in existing resources\nIf is set to \"true\" the rule will be triggered and applied to existing matched resources.","type":"boolean"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.<name>' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"mutateExistingOnPolicyUpdate":{"description":"MutateExistingOnPolicyUpdate controls if the mutateExisting rule will be applied on policy events.","type":"boolean"},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"selector":{"description":"Selector allows you to select target resources with their labels.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"reportProperties":{"description":"ReportProperties are the additional properties from the rule that will be added to the policy report result","type":"object","additionalProperties":{"type":"string"}},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"allowExistingViolations":{"description":"AllowExistingViolations allows prexisting violating resources to continue violating a policy.","type":"boolean"},"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"assert":{"description":"Assert defines a kyverno-json assertion tree.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"generate":{"description":"Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"name is the name of the resource being referenced.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.\n\nA single parameter used for all admission requests can be configured\nby setting the `name` field, leaving `selector` blank, and setting namespace\nif `paramKind` is namespace-scoped.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"failureAction":{"description":"FailureAction defines if a validation policy rule violation should block\nthe admission review request (Enforce), or allow (Audit) the admission review request\nand report an error in a policy report. Optional.\nAllowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"failureActionOverrides":{"description":"FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction\nnamespace-wise. It overrides FailureAction for the specified namespaces.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, v1.30, v1.31, v1.32, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","v1.30","v1.31","v1.32","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"additionalExtensions":{"description":"Deprecated.","type":"object","additionalProperties":{"type":"string"}},"annotations":{"description":"Deprecated. Use annotations per Attestor instead.","type":"object","additionalProperties":{"type":"string"}},"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"name":{"description":"Name is the variable name.","type":"string"},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"cosignOCI11":{"description":"CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.\nDefaults to false.","type":"boolean"},"failureAction":{"description":"Allowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"image":{"description":"Deprecated. Use ImageReferences instead.","type":"string"},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"issuer":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"key":{"description":"Deprecated. Use StaticKeyAttestor instead.","type":"string"},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"roots":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"subject":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","SigstoreBundle","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule.","type":"boolean"},"validate":{"description":"Validation checks conditions across multiple image\nverification attestations or context entries","type":"object","properties":{"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"}}},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}},"schemaValidation":{"description":"Deprecated.","type":"boolean"},"useServerSideApply":{"description":"UseServerSideApply controls whether to use server-side apply for generate rules\nIf is set to \"true\" create & update for generate rules will use apply instead of create/update.\nDefaults to \"false\" if not specified.","type":"boolean"},"validationFailureAction":{"description":"Deprecated, use validationFailureAction under the validate rule instead.","type":"string","enum":["audit","enforce","Audit","Enforce"]},"validationFailureActionOverrides":{"description":"Deprecated, use validationFailureActionOverrides under the validate rule instead.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"webhookConfiguration":{"description":"WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.","type":"object","properties":{"failurePolicy":{"description":"FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.\nRules within the same policy share the same failure behavior.\nThis field should not be accessed directly, instead `GetFailurePolicy()` should be used.\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchCondition configures admission webhook matchConditions.\nRequires Kubernetes 1.27 or later.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}},"webhookTimeoutSeconds":{"description":"Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.","type":"integer","format":"int32"}}},"status":{"description":"Deprecated. Policy metrics are available via the metrics endpoint","type":"object","properties":{"autogen":{"description":"AutogenStatus contains autogen status information.","type":"object","properties":{"rules":{"description":"Rules is a list of Rule instances. It contains auto generated rules added for pod controllers","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["match","name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"foreach":{"description":"ForEach applies generate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}},"generateExisting":{"description":"GenerateExisting controls whether to trigger the rule in existing resources\nIf is set to \"true\" the rule will be triggered and applied to existing matched resources.","type":"boolean"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.<name>' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"mutateExistingOnPolicyUpdate":{"description":"MutateExistingOnPolicyUpdate controls if the mutateExisting rule will be applied on policy events.","type":"boolean"},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"selector":{"description":"Selector allows you to select target resources with their labels.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"reportProperties":{"description":"ReportProperties are the additional properties from the rule that will be added to the policy report result","type":"object","additionalProperties":{"type":"string"}},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"allowExistingViolations":{"description":"AllowExistingViolations allows prexisting violating resources to continue violating a policy.","type":"boolean"},"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"assert":{"description":"Assert defines a kyverno-json assertion tree.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"generate":{"description":"Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"name is the name of the resource being referenced.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.\n\nA single parameter used for all admission requests can be configured\nby setting the `name` field, leaving `selector` blank, and setting namespace\nif `paramKind` is namespace-scoped.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"failureAction":{"description":"FailureAction defines if a validation policy rule violation should block\nthe admission review request (Enforce), or allow (Audit) the admission review request\nand report an error in a policy report. Optional.\nAllowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"failureActionOverrides":{"description":"FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction\nnamespace-wise. It overrides FailureAction for the specified namespaces.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, v1.30, v1.31, v1.32, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","v1.30","v1.31","v1.32","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"additionalExtensions":{"description":"Deprecated.","type":"object","additionalProperties":{"type":"string"}},"annotations":{"description":"Deprecated. Use annotations per Attestor instead.","type":"object","additionalProperties":{"type":"string"}},"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"name":{"description":"Name is the variable name.","type":"string"},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"cosignOCI11":{"description":"CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.\nDefaults to false.","type":"boolean"},"failureAction":{"description":"Allowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"image":{"description":"Deprecated. Use ImageReferences instead.","type":"string"},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"issuer":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"key":{"description":"Deprecated. Use StaticKeyAttestor instead.","type":"string"},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"roots":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"subject":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","SigstoreBundle","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule.","type":"boolean"},"validate":{"description":"Validation checks conditions across multiple image\nverification attestations or context entries","type":"object","properties":{"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"}}},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}}}},"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"ready":{"description":"Deprecated in favor of Conditions","type":"boolean"},"rulecount":{"description":"RuleCountStatus contains four variables which describes counts for\nvalidate, generate, mutate and verify images rules","type":"object","required":["generate","mutate","validate","verifyimages"],"properties":{"generate":{"description":"Count for generate rules in policy","type":"integer"},"mutate":{"description":"Count for mutate rules in policy","type":"integer"},"validate":{"description":"Count for validate rules in policy","type":"integer"},"verifyimages":{"description":"Count for verify image rules in policy","type":"integer"}}},"validatingadmissionpolicy":{"description":"ValidatingAdmissionPolicy contains status information","type":"object","required":["generated","message"],"properties":{"generated":{"description":"Generated indicates whether a validating admission policy is generated from the policy or not","type":"boolean"},"message":{"description":"Message is a human readable message indicating details about the generation of validating admission policy\nIt is an empty string when validating admission policy is successfully generated.","type":"string"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"Policy","version":"v1"}],"title":"io.kyverno.v1.Policy"},"io.kyverno.v1.PolicyList":{"description":"PolicyList is a list of Policy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of policies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"PolicyList","version":"v1"}],"title":"io.kyverno.v1.PolicyList"},"io.kyverno.v2.CleanupPolicy":{"description":"CleanupPolicy defines a rule for resource cleanup.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy behaviors.","type":"object","required":["match","schedule"],"properties":{"conditions":{"description":"Conditions defines the conditions used to select the resources which will be cleaned up.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deletionPropagationPolicy":{"description":"DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).","type":"string","enum":["Foreground","Background","Orphan"]},"exclude":{"description":"ExcludeResources defines when cleanuppolicy should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"match":{"description":"MatchResources defines when cleanuppolicy should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"schedule":{"description":"The schedule in Cron format","type":"string"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"lastExecutionTime":{"type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2"}],"title":"io.kyverno.v2.CleanupPolicy"},"io.kyverno.v2.CleanupPolicyList":{"description":"CleanupPolicyList is a list of CleanupPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of cleanuppolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"CleanupPolicyList","version":"v2"}],"title":"io.kyverno.v2.CleanupPolicyList"},"io.kyverno.v2.ClusterCleanupPolicy":{"description":"ClusterCleanupPolicy defines rule for resource cleanup.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy behaviors.","type":"object","required":["match","schedule"],"properties":{"conditions":{"description":"Conditions defines the conditions used to select the resources which will be cleaned up.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deletionPropagationPolicy":{"description":"DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).","type":"string","enum":["Foreground","Background","Orphan"]},"exclude":{"description":"ExcludeResources defines when cleanuppolicy should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"match":{"description":"MatchResources defines when cleanuppolicy should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"schedule":{"description":"The schedule in Cron format","type":"string"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"lastExecutionTime":{"type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2"}],"title":"io.kyverno.v2.ClusterCleanupPolicy"},"io.kyverno.v2.ClusterCleanupPolicyList":{"description":"ClusterCleanupPolicyList is a list of ClusterCleanupPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clustercleanuppolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterCleanupPolicyList","version":"v2"}],"title":"io.kyverno.v2.ClusterCleanupPolicyList"},"io.kyverno.v2.GlobalContextEntry":{"description":"GlobalContextEntry declares resources to be cached.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy exception behaviors.","type":"object","properties":{"apiCall":{"description":"Stores results from an API call which will be cached.\nMutually exclusive with KubernetesResource.\nThis can be used to make calls to external (non-Kubernetes API server) services.\nIt can also be used to make calls to the Kubernetes API server in such cases:\n1. A POST is needed to create a resource.\n2. Finer-grained control is needed. Example: To restrict the number of resources cached.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"refreshInterval":{"description":"RefreshInterval defines the interval in duration at which to poll the APICall.\nThe duration is a sequence of decimal numbers, each with optional fraction and a unit suffix,\nsuch as \"300ms\", \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".","type":"string","format":"duration"},"retryLimit":{"description":"RetryLimit defines the number of times the APICall should be retried in case of failure.","type":"integer","minimum":1},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"kubernetesResource":{"description":"Stores a list of Kubernetes resources which will be cached.\nMutually exclusive with APICall.","type":"object","required":["resource","version"],"properties":{"group":{"description":"Group defines the group of the resource.","type":"string"},"namespace":{"description":"Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.\nIf left empty for namespaced resources, all resources from all namespaces will be cached.","type":"string"},"resource":{"description":"Resource defines the type of the resource.\nRequires the pluralized form of the resource kind in lowercase. (Ex., \"deployments\")","type":"string"},"version":{"description":"Version defines the version of the resource.","type":"string"}}},"projections":{"description":"Projections defines the list of JMESPath expressions to extract values from the cached resource.","type":"array","items":{"type":"object","required":["jmesPath","name"],"properties":{"jmesPath":{"description":"JMESPath is the JMESPath expression to extract the value from the cached resource.","type":"string"},"name":{"description":"Name is the name to use for the extracted value in the context.","type":"string"}}}}}},"status":{"description":"Status contains globalcontextentry runtime data.","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"lastRefreshTime":{"description":"Indicates the time when the globalcontextentry was last refreshed successfully for the API Call","type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"GlobalContextEntry","version":"v2"}],"title":"io.kyverno.v2.GlobalContextEntry"},"io.kyverno.v2.GlobalContextEntryList":{"description":"GlobalContextEntryList is a list of GlobalContextEntry","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of globalcontextentries. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2.GlobalContextEntry"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"GlobalContextEntryList","version":"v2"}],"title":"io.kyverno.v2.GlobalContextEntryList"},"io.kyverno.v2.PolicyException":{"description":"PolicyException declares resources to be excluded from specified policies.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy exception behaviors.","type":"object","required":["exceptions","match"],"properties":{"background":{"description":"Background controls if exceptions are applied to existing policies during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"},"conditions":{"description":"Conditions are used to determine if a resource applies to the exception by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exceptions":{"description":"Exceptions is a list policy/rules to be excluded","type":"array","items":{"description":"Exception stores infos about a policy and rules","type":"object","required":["policyName","ruleNames"],"properties":{"policyName":{"description":"PolicyName identifies the policy to which the exception is applied.\nThe policy name uses the format <namespace>/<name> unless it\nreferences a ClusterPolicy.","type":"string"},"ruleNames":{"description":"RuleNames identifies the rules to which the exception is applied.","type":"array","items":{"type":"string"}}}}},"match":{"description":"Match defines match clause used to check if a resource applies to the exception","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"podSecurity":{"description":"PodSecurity specifies the Pod Security Standard controls to be excluded.\nApplicable only to policies that have validate.podSecurity subrule.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"PolicyException","version":"v2"}],"title":"io.kyverno.v2.PolicyException"},"io.kyverno.v2.PolicyExceptionList":{"description":"PolicyExceptionList is a list of PolicyException","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of policyexceptions. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2.PolicyException"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"PolicyExceptionList","version":"v2"}],"title":"io.kyverno.v2.PolicyExceptionList"},"io.kyverno.v2.UpdateRequest":{"description":"UpdateRequest is a request to process mutate and generate rules in background.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ResourceSpec is the information to identify the trigger resource.","type":"object","required":["context","deleteDownstream","policy","resource","rule"],"properties":{"context":{"description":"Context represents admission request context.\nIt is used upon admission review only and is shared across rules within the same UR.","type":"object","properties":{"admissionRequestInfo":{"description":"AdmissionRequestInfoObject stores the admission request and operation details","type":"object","properties":{"admissionRequest":{"description":"AdmissionRequest describes the admission.Attributes for the admission request.","type":"object","required":["kind","operation","resource","uid","userInfo"],"properties":{"dryRun":{"description":"dryRun indicates that modifications will definitely not be persisted for this request.\nDefaults to false.","type":"boolean"},"kind":{"description":"kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)","type":"object","required":["group","kind","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"version":{"type":"string"}}},"name":{"description":"name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and\nrely on the server to generate the name.  If that is the case, this field will contain an empty string.","type":"string"},"namespace":{"description":"namespace is the namespace associated with the request (if any).","type":"string"},"object":{"description":"object is the object from the incoming request.","x-kubernetes-preserve-unknown-fields":true},"oldObject":{"description":"oldObject is the existing object. Only populated for DELETE and UPDATE requests.","x-kubernetes-preserve-unknown-fields":true},"operation":{"description":"operation is the operation being performed. This may be different than the operation\nrequested. e.g. a patch can result in either a CREATE or UPDATE Operation.","type":"string"},"options":{"description":"options is the operation option structure of the operation being performed.\ne.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be\ndifferent than the options the caller provided. e.g. for a patch request the performed\nOperation might be a CREATE, in which case the Options will a\n`meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.","x-kubernetes-preserve-unknown-fields":true},"requestKind":{"description":"requestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).\nIf this is specified and differs from the value in \"kind\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of\n`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`,\nan API request to apps/v1beta1 deployments would be converted and sent to the webhook\nwith `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` (matching the rule the webhook registered for),\nand `requestKind: {group:\"apps\", version:\"v1beta1\", kind:\"Deployment\"}` (indicating the kind of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type for more details.","type":"object","required":["group","kind","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"version":{"type":"string"}}},"requestResource":{"description":"requestResource is the fully-qualified resource of the original API request (for example, v1.pods).\nIf this is specified and differs from the value in \"resource\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of\n`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`,\nan API request to apps/v1beta1 deployments would be converted and sent to the webhook\nwith `resource: {group:\"apps\", version:\"v1\", resource:\"deployments\"}` (matching the resource the webhook registered for),\nand `requestResource: {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` (indicating the resource of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type.","type":"object","required":["group","resource","version"],"properties":{"group":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}},"requestSubResource":{"description":"requestSubResource is the name of the subresource of the original API request, if any (for example, \"status\" or \"scale\")\nIf this is specified and differs from the value in \"subResource\", an equivalent match and conversion was performed.\nSee documentation for the \"matchPolicy\" field in the webhook configuration type.","type":"string"},"resource":{"description":"resource is the fully-qualified resource being requested (for example, v1.pods)","type":"object","required":["group","resource","version"],"properties":{"group":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}},"subResource":{"description":"subResource is the subresource being requested, if any (for example, \"status\" or \"scale\")","type":"string"},"uid":{"description":"uid is an identifier for the individual request/response. It allows us to distinguish instances of requests which are\notherwise identical (parallel requests, requests when earlier requests did not modify etc)\nThe UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.\nIt is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.","type":"string"},"userInfo":{"description":"userInfo is information about the requesting user","type":"object","properties":{"extra":{"description":"Any additional information provided by the authenticator.","type":"object","additionalProperties":{"description":"ExtraValue masks the value so protobuf can generate","type":"array","items":{"type":"string"}}},"groups":{"description":"The names of groups this user is a part of.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"uid":{"description":"A unique value that identifies this user across time. If this user is\ndeleted and another user by the same name is added, they will have\ndifferent UIDs.","type":"string"},"username":{"description":"The name that uniquely identifies this user among all active users.","type":"string"}}}}},"operation":{"description":"Operation is the type of resource operation being checked for admission control","type":"string"}}},"userInfo":{"description":"RequestInfo contains permission info carried in an admission request.","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is a list of possible clusterRoles send the request."},"roles":{"description":"Roles is a list of possible role send the request."},"synchronize":{"description":"DryRun indicates that modifications will definitely not be persisted for this request.\nDefaults to false.","type":"boolean"},"userInfo":{"description":"UserInfo is the userInfo carried in the admission request.","type":"object","properties":{"extra":{"description":"Any additional information provided by the authenticator.","type":"object","additionalProperties":{"description":"ExtraValue masks the value so protobuf can generate","type":"array","items":{"type":"string"}}},"groups":{"description":"The names of groups this user is a part of.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"uid":{"description":"A unique value that identifies this user across time. If this user is\ndeleted and another user by the same name is added, they will have\ndifferent UIDs.","type":"string"},"username":{"description":"The name that uniquely identifies this user among all active users.","type":"string"}}}}}}},"deleteDownstream":{"description":"DeleteDownstream represents whether the downstream needs to be deleted.\nDeprecated","type":"boolean"},"policy":{"description":"Specifies the name of the policy.","type":"string"},"requestType":{"description":"Type represents request type for background processing","type":"string","enum":["mutate","generate","cel-generate","cel-mutate"]},"resource":{"description":"ResourceSpec is the information to identify the trigger resource.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"rule":{"description":"Rule is the associate rule name of the current UR.","type":"string"},"ruleContext":{"description":"RuleContext is the associate context to apply rules.\noptional","type":"array","items":{"type":"object","required":["deleteDownstream","rule","trigger"],"properties":{"cacheRestore":{"description":"CacheRestore indicates whether the cache should be restored.","type":"boolean"},"deleteDownstream":{"description":"DeleteDownstream represents whether the downstream needs to be deleted.","type":"boolean"},"rule":{"description":"Rule is the associate rule name of the current UR.","type":"string"},"synchronize":{"description":"Synchronize represents the sync behavior of the corresponding rule\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"trigger":{"description":"ResourceSpec is the information to identify the trigger resource.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"synchronize":{"description":"Synchronize represents the sync behavior of the corresponding rule\nOptional. Defaults to \"false\" if not specified.\nDeprecated, will be removed in 1.14.","type":"boolean"}}},"status":{"description":"Status contains statistics related to update request.","type":"object","required":["state"],"properties":{"generatedResources":{"description":"This will track the resources that are updated by the generate Policy.\nWill be used during clean up resources.","type":"array","items":{"type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}},"message":{"description":"Specifies request status message.","type":"string"},"retryCount":{"type":"integer"},"state":{"description":"State represents state of the update request.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"UpdateRequest","version":"v2"}],"title":"io.kyverno.v2.UpdateRequest"},"io.kyverno.v2.UpdateRequestList":{"description":"UpdateRequestList is a list of UpdateRequest","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of updaterequests. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"UpdateRequestList","version":"v2"}],"title":"io.kyverno.v2.UpdateRequestList"},"io.kyverno.v2alpha1.GlobalContextEntry":{"description":"GlobalContextEntry declares resources to be cached.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy exception behaviors.","type":"object","properties":{"apiCall":{"description":"Stores results from an API call which will be cached.\nMutually exclusive with KubernetesResource.\nThis can be used to make calls to external (non-Kubernetes API server) services.\nIt can also be used to make calls to the Kubernetes API server in such cases:\n1. A POST is needed to create a resource.\n2. Finer-grained control is needed. Example: To restrict the number of resources cached.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"refreshInterval":{"description":"RefreshInterval defines the interval in duration at which to poll the APICall.\nThe duration is a sequence of decimal numbers, each with optional fraction and a unit suffix,\nsuch as \"300ms\", \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".","type":"string","format":"duration"},"retryLimit":{"description":"RetryLimit defines the number of times the APICall should be retried in case of failure.","type":"integer","minimum":1},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"kubernetesResource":{"description":"Stores a list of Kubernetes resources which will be cached.\nMutually exclusive with APICall.","type":"object","required":["resource","version"],"properties":{"group":{"description":"Group defines the group of the resource.","type":"string"},"namespace":{"description":"Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.\nIf left empty for namespaced resources, all resources from all namespaces will be cached.","type":"string"},"resource":{"description":"Resource defines the type of the resource.\nRequires the pluralized form of the resource kind in lowercase. (Ex., \"deployments\")","type":"string"},"version":{"description":"Version defines the version of the resource.","type":"string"}}},"projections":{"description":"Projections defines the list of JMESPath expressions to extract values from the cached resource.","type":"array","items":{"type":"object","required":["jmesPath","name"],"properties":{"jmesPath":{"description":"JMESPath is the JMESPath expression to extract the value from the cached resource.","type":"string"},"name":{"description":"Name is the name to use for the extracted value in the context.","type":"string"}}}}}},"status":{"description":"Status contains globalcontextentry runtime data.","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"lastRefreshTime":{"description":"Indicates the time when the globalcontextentry was last refreshed successfully for the API Call","type":"string","format":"date-time"},"ready":{"description":"Deprecated in favor of Conditions","type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"GlobalContextEntry","version":"v2alpha1"}],"title":"io.kyverno.v2alpha1.GlobalContextEntry"},"io.kyverno.v2alpha1.GlobalContextEntryList":{"description":"GlobalContextEntryList is a list of GlobalContextEntry","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of globalcontextentries. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2alpha1.GlobalContextEntry"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"GlobalContextEntryList","version":"v2alpha1"}],"title":"io.kyverno.v2alpha1.GlobalContextEntryList"},"io.kyverno.v2beta1.CleanupPolicy":{"description":"CleanupPolicy defines a rule for resource cleanup.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy behaviors.","type":"object","required":["match","schedule"],"properties":{"conditions":{"description":"Conditions defines the conditions used to select the resources which will be cleaned up.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deletionPropagationPolicy":{"description":"DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).","type":"string","enum":["Foreground","Background","Orphan"]},"exclude":{"description":"ExcludeResources defines when cleanuppolicy should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"match":{"description":"MatchResources defines when cleanuppolicy should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"schedule":{"description":"The schedule in Cron format","type":"string"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"lastExecutionTime":{"type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2beta1"}],"title":"io.kyverno.v2beta1.CleanupPolicy"},"io.kyverno.v2beta1.CleanupPolicyList":{"description":"CleanupPolicyList is a list of CleanupPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of cleanuppolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"CleanupPolicyList","version":"v2beta1"}],"title":"io.kyverno.v2beta1.CleanupPolicyList"},"io.kyverno.v2beta1.ClusterCleanupPolicy":{"description":"ClusterCleanupPolicy defines rule for resource cleanup.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy behaviors.","type":"object","required":["match","schedule"],"properties":{"conditions":{"description":"Conditions defines the conditions used to select the resources which will be cleaned up.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deletionPropagationPolicy":{"description":"DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).","type":"string","enum":["Foreground","Background","Orphan"]},"exclude":{"description":"ExcludeResources defines when cleanuppolicy should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"match":{"description":"MatchResources defines when cleanuppolicy should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"schedule":{"description":"The schedule in Cron format","type":"string"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"lastExecutionTime":{"type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2beta1"}],"title":"io.kyverno.v2beta1.ClusterCleanupPolicy"},"io.kyverno.v2beta1.ClusterCleanupPolicyList":{"description":"ClusterCleanupPolicyList is a list of ClusterCleanupPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clustercleanuppolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterCleanupPolicyList","version":"v2beta1"}],"title":"io.kyverno.v2beta1.ClusterCleanupPolicyList"},"io.kyverno.v2beta1.ClusterPolicy":{"description":"ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy behaviors.","type":"object","properties":{"admission":{"description":"Admission controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"},"applyRules":{"description":"ApplyRules controls how rules in a policy are applied. Rule are processed in\nthe order of declaration. When set to `One` processing stops after a rule has\nbeen applied i.e. the rule matches and results in a pass, fail, or error. When\nset to `All` all rules in the policy are processed. The default is `All`.","type":"string","enum":["All","One"]},"background":{"description":"Background controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"},"emitWarning":{"description":"EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.\nEnabling this option will extend admission request processing times. The default value is \"false\".","type":"boolean"},"failurePolicy":{"description":"Deprecated, use failurePolicy under the webhookConfiguration instead.","type":"string","enum":["Ignore","Fail"]},"generateExisting":{"description":"Deprecated, use generateExisting under the generate rule instead","type":"boolean"},"generateExistingOnPolicyUpdate":{"description":"Deprecated, use generateExisting instead","type":"boolean"},"mutateExistingOnPolicyUpdate":{"description":"Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead","type":"boolean"},"rules":{"description":"Rules is a list of Rule instances. A Policy contains multiple rules and\neach rule can validate, mutate, or generate resources.","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["match","name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"foreach":{"description":"ForEach applies generate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}},"generateExisting":{"description":"GenerateExisting controls whether to trigger the rule in existing resources\nIf is set to \"true\" the rule will be triggered and applied to existing matched resources.","type":"boolean"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.<name>' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"mutateExistingOnPolicyUpdate":{"description":"MutateExistingOnPolicyUpdate controls if the mutateExisting rule will be applied on policy events.","type":"boolean"},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"selector":{"description":"Selector allows you to select target resources with their labels.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"assert":{"description":"Assert defines a kyverno-json assertion tree.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"generate":{"description":"Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"name is the name of the resource being referenced.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.\n\nA single parameter used for all admission requests can be configured\nby setting the `name` field, leaving `selector` blank, and setting namespace\nif `paramKind` is namespace-scoped.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}}},"failureAction":{"description":"FailureAction defines if a validation policy rule violation should block\nthe admission review request (Enforce), or allow (Audit) the admission review request\nand report an error in a policy report. Optional.\nAllowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"failureActionOverrides":{"description":"FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction\nnamespace-wise. It overrides FailureAction for the specified namespaces.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, v1.30, v1.31, v1.32, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","v1.30","v1.31","v1.32","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"name":{"description":"Name is the variable name.","type":"string"},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"failureAction":{"description":"Allowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","SigstoreBundle","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule","type":"boolean"},"validate":{"description":"Validation checks conditions across multiple image\nverification attestations or context entries","type":"object","properties":{"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"}}},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}},"schemaValidation":{"description":"Deprecated.","type":"boolean"},"useServerSideApply":{"description":"UseServerSideApply controls whether to use server-side apply for generate rules\nIf is set to \"true\" create & update for generate rules will use apply instead of create/update.\nDefaults to \"false\" if not specified.","type":"boolean"},"validationFailureAction":{"description":"Deprecated, use validationFailureAction under the validate rule instead.","type":"string","enum":["audit","enforce","Audit","Enforce"]},"validationFailureActionOverrides":{"description":"Deprecated, use validationFailureActionOverrides under the validate rule instead.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"webhookConfiguration":{"description":"WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.","type":"object","properties":{"failurePolicy":{"description":"FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.\nRules within the same policy share the same failure behavior.\nThis field should not be accessed directly, instead `GetFailurePolicy()` should be used.\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchCondition configures admission webhook matchConditions.\nRequires Kubernetes 1.27 or later.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}},"webhookTimeoutSeconds":{"description":"Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.","type":"integer","format":"int32"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"description":"AutogenStatus contains autogen status information.","type":"object","properties":{"rules":{"description":"Rules is a list of Rule instances. It contains auto generated rules added for pod controllers","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["match","name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"foreach":{"description":"ForEach applies generate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}},"generateExisting":{"description":"GenerateExisting controls whether to trigger the rule in existing resources\nIf is set to \"true\" the rule will be triggered and applied to existing matched resources.","type":"boolean"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.<name>' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"mutateExistingOnPolicyUpdate":{"description":"MutateExistingOnPolicyUpdate controls if the mutateExisting rule will be applied on policy events.","type":"boolean"},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"selector":{"description":"Selector allows you to select target resources with their labels.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"reportProperties":{"description":"ReportProperties are the additional properties from the rule that will be added to the policy report result","type":"object","additionalProperties":{"type":"string"}},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"allowExistingViolations":{"description":"AllowExistingViolations allows prexisting violating resources to continue violating a policy.","type":"boolean"},"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"assert":{"description":"Assert defines a kyverno-json assertion tree.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"generate":{"description":"Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"name is the name of the resource being referenced.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.\n\nA single parameter used for all admission requests can be configured\nby setting the `name` field, leaving `selector` blank, and setting namespace\nif `paramKind` is namespace-scoped.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"failureAction":{"description":"FailureAction defines if a validation policy rule violation should block\nthe admission review request (Enforce), or allow (Audit) the admission review request\nand report an error in a policy report. Optional.\nAllowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"failureActionOverrides":{"description":"FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction\nnamespace-wise. It overrides FailureAction for the specified namespaces.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, v1.30, v1.31, v1.32, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","v1.30","v1.31","v1.32","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"additionalExtensions":{"description":"Deprecated.","type":"object","additionalProperties":{"type":"string"}},"annotations":{"description":"Deprecated. Use annotations per Attestor instead.","type":"object","additionalProperties":{"type":"string"}},"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"name":{"description":"Name is the variable name.","type":"string"},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"cosignOCI11":{"description":"CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.\nDefaults to false.","type":"boolean"},"failureAction":{"description":"Allowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"image":{"description":"Deprecated. Use ImageReferences instead.","type":"string"},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"issuer":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"key":{"description":"Deprecated. Use StaticKeyAttestor instead.","type":"string"},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"roots":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"subject":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","SigstoreBundle","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule.","type":"boolean"},"validate":{"description":"Validation checks conditions across multiple image\nverification attestations or context entries","type":"object","properties":{"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"}}},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}}}},"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"ready":{"description":"Deprecated in favor of Conditions","type":"boolean"},"rulecount":{"description":"RuleCountStatus contains four variables which describes counts for\nvalidate, generate, mutate and verify images rules","type":"object","required":["generate","mutate","validate","verifyimages"],"properties":{"generate":{"description":"Count for generate rules in policy","type":"integer"},"mutate":{"description":"Count for mutate rules in policy","type":"integer"},"validate":{"description":"Count for validate rules in policy","type":"integer"},"verifyimages":{"description":"Count for verify image rules in policy","type":"integer"}}},"validatingadmissionpolicy":{"description":"ValidatingAdmissionPolicy contains status information","type":"object","required":["generated","message"],"properties":{"generated":{"description":"Generated indicates whether a validating admission policy is generated from the policy or not","type":"boolean"},"message":{"description":"Message is a human readable message indicating details about the generation of validating admission policy\nIt is an empty string when validating admission policy is successfully generated.","type":"string"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterPolicy","version":"v2beta1"}],"title":"io.kyverno.v2beta1.ClusterPolicy"},"io.kyverno.v2beta1.ClusterPolicyList":{"description":"ClusterPolicyList is a list of ClusterPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusterpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterPolicyList","version":"v2beta1"}],"title":"io.kyverno.v2beta1.ClusterPolicyList"},"io.kyverno.v2beta1.GlobalContextEntry":{"description":"GlobalContextEntry declares resources to be cached.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy exception behaviors.","type":"object","properties":{"apiCall":{"description":"Stores results from an API call which will be cached.\nMutually exclusive with KubernetesResource.\nThis can be used to make calls to external (non-Kubernetes API server) services.\nIt can also be used to make calls to the Kubernetes API server in such cases:\n1. A POST is needed to create a resource.\n2. Finer-grained control is needed. Example: To restrict the number of resources cached.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"refreshInterval":{"description":"RefreshInterval defines the interval in duration at which to poll the APICall.\nThe duration is a sequence of decimal numbers, each with optional fraction and a unit suffix,\nsuch as \"300ms\", \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".","type":"string","format":"duration"},"retryLimit":{"description":"RetryLimit defines the number of times the APICall should be retried in case of failure.","type":"integer","minimum":1},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"kubernetesResource":{"description":"Stores a list of Kubernetes resources which will be cached.\nMutually exclusive with APICall.","type":"object","required":["resource","version"],"properties":{"group":{"description":"Group defines the group of the resource.","type":"string"},"namespace":{"description":"Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.\nIf left empty for namespaced resources, all resources from all namespaces will be cached.","type":"string"},"resource":{"description":"Resource defines the type of the resource.\nRequires the pluralized form of the resource kind in lowercase. (Ex., \"deployments\")","type":"string"},"version":{"description":"Version defines the version of the resource.","type":"string"}}},"projections":{"description":"Projections defines the list of JMESPath expressions to extract values from the cached resource.","type":"array","items":{"type":"object","required":["jmesPath","name"],"properties":{"jmesPath":{"description":"JMESPath is the JMESPath expression to extract the value from the cached resource.","type":"string"},"name":{"description":"Name is the name to use for the extracted value in the context.","type":"string"}}}}}},"status":{"description":"Status contains globalcontextentry runtime data.","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"lastRefreshTime":{"description":"Indicates the time when the globalcontextentry was last refreshed successfully for the API Call","type":"string","format":"date-time"},"ready":{"description":"Deprecated in favor of Conditions","type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"GlobalContextEntry","version":"v2beta1"}],"title":"io.kyverno.v2beta1.GlobalContextEntry"},"io.kyverno.v2beta1.GlobalContextEntryList":{"description":"GlobalContextEntryList is a list of GlobalContextEntry","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of globalcontextentries. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2beta1.GlobalContextEntry"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"GlobalContextEntryList","version":"v2beta1"}],"title":"io.kyverno.v2beta1.GlobalContextEntryList"},"io.kyverno.v2beta1.Policy":{"description":"Policy declares validation, mutation, and generation behaviors for matching resources.\nSee: https://kyverno.io/docs/writing-policies/ for more information.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines policy behaviors and contains one or more rules.","type":"object","properties":{"admission":{"description":"Admission controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"},"applyRules":{"description":"ApplyRules controls how rules in a policy are applied. Rule are processed in\nthe order of declaration. When set to `One` processing stops after a rule has\nbeen applied i.e. the rule matches and results in a pass, fail, or error. When\nset to `All` all rules in the policy are processed. The default is `All`.","type":"string","enum":["All","One"]},"background":{"description":"Background controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"},"emitWarning":{"description":"EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.\nEnabling this option will extend admission request processing times. The default value is \"false\".","type":"boolean"},"failurePolicy":{"description":"Deprecated, use failurePolicy under the webhookConfiguration instead.","type":"string","enum":["Ignore","Fail"]},"generateExisting":{"description":"Deprecated, use generateExisting under the generate rule instead","type":"boolean"},"generateExistingOnPolicyUpdate":{"description":"Deprecated, use generateExisting instead","type":"boolean"},"mutateExistingOnPolicyUpdate":{"description":"Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead","type":"boolean"},"rules":{"description":"Rules is a list of Rule instances. A Policy contains multiple rules and\neach rule can validate, mutate, or generate resources.","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["match","name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"foreach":{"description":"ForEach applies generate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}},"generateExisting":{"description":"GenerateExisting controls whether to trigger the rule in existing resources\nIf is set to \"true\" the rule will be triggered and applied to existing matched resources.","type":"boolean"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.<name>' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"mutateExistingOnPolicyUpdate":{"description":"MutateExistingOnPolicyUpdate controls if the mutateExisting rule will be applied on policy events.","type":"boolean"},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"selector":{"description":"Selector allows you to select target resources with their labels.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"assert":{"description":"Assert defines a kyverno-json assertion tree.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"generate":{"description":"Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"name is the name of the resource being referenced.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.\n\nA single parameter used for all admission requests can be configured\nby setting the `name` field, leaving `selector` blank, and setting namespace\nif `paramKind` is namespace-scoped.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}}},"failureAction":{"description":"FailureAction defines if a validation policy rule violation should block\nthe admission review request (Enforce), or allow (Audit) the admission review request\nand report an error in a policy report. Optional.\nAllowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"failureActionOverrides":{"description":"FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction\nnamespace-wise. It overrides FailureAction for the specified namespaces.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, v1.30, v1.31, v1.32, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","v1.30","v1.31","v1.32","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"name":{"description":"Name is the variable name.","type":"string"},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"failureAction":{"description":"Allowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","SigstoreBundle","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule","type":"boolean"},"validate":{"description":"Validation checks conditions across multiple image\nverification attestations or context entries","type":"object","properties":{"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"}}},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}},"schemaValidation":{"description":"Deprecated.","type":"boolean"},"useServerSideApply":{"description":"UseServerSideApply controls whether to use server-side apply for generate rules\nIf is set to \"true\" create & update for generate rules will use apply instead of create/update.\nDefaults to \"false\" if not specified.","type":"boolean"},"validationFailureAction":{"description":"Deprecated, use validationFailureAction under the validate rule instead.","type":"string","enum":["audit","enforce","Audit","Enforce"]},"validationFailureActionOverrides":{"description":"Deprecated, use validationFailureActionOverrides under the validate rule instead.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"webhookConfiguration":{"description":"WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.","type":"object","properties":{"failurePolicy":{"description":"FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.\nRules within the same policy share the same failure behavior.\nThis field should not be accessed directly, instead `GetFailurePolicy()` should be used.\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"matchConditions":{"description":"MatchCondition configures admission webhook matchConditions.\nRequires Kubernetes 1.27 or later.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"timeoutSeconds":{"description":"TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}},"webhookTimeoutSeconds":{"description":"Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.","type":"integer","format":"int32"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"autogen":{"description":"AutogenStatus contains autogen status information.","type":"object","properties":{"rules":{"description":"Rules is a list of Rule instances. It contains auto generated rules added for pod controllers","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["match","name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"foreach":{"description":"ForEach applies generate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}},"generateExisting":{"description":"GenerateExisting controls whether to trigger the rule in existing resources\nIf is set to \"true\" the rule will be triggered and applied to existing matched resources.","type":"boolean"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.<name>' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"mutateExistingOnPolicyUpdate":{"description":"MutateExistingOnPolicyUpdate controls if the mutateExisting rule will be applied on policy events.","type":"boolean"},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"selector":{"description":"Selector allows you to select target resources with their labels.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"reportProperties":{"description":"ReportProperties are the additional properties from the rule that will be added to the policy report result","type":"object","additionalProperties":{"type":"string"}},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"allowExistingViolations":{"description":"AllowExistingViolations allows prexisting violating resources to continue violating a policy.","type":"boolean"},"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"assert":{"description":"Assert defines a kyverno-json assertion tree.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n  For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"generate":{"description":"Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"name is the name of the resource being referenced.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.\n\nA single parameter used for all admission requests can be configured\nby setting the `name` field, leaving `selector` blank, and setting namespace\nif `paramKind` is namespace-scoped.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"failureAction":{"description":"FailureAction defines if a validation policy rule violation should block\nthe admission review request (Enforce), or allow (Audit) the admission review request\nand report an error in a policy report. Optional.\nAllowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"failureActionOverrides":{"description":"FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction\nnamespace-wise. It overrides FailureAction for the specified namespaces.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","required":["name"],"properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"default":{"description":"Default is an optional arbitrary JSON object that the context\nvalue is set to, if the apiCall returns error.","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST). Defaults to GET.","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"headers":{"description":"Headers is a list of optional HTTP headers to be included in the request.","type":"array","items":{"type":"object","required":["key","value"],"properties":{"key":{"description":"Key is the header key","type":"string"},"value":{"description":"Value is the header value","type":"string"}}}},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or  \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","required":["name"],"properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, v1.30, v1.31, v1.32, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","v1.30","v1.31","v1.32","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"additionalExtensions":{"description":"Deprecated.","type":"object","additionalProperties":{"type":"string"}},"annotations":{"description":"Deprecated. Use annotations per Attestor instead.","type":"object","additionalProperties":{"type":"string"}},"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"name":{"description":"Name is the variable name.","type":"string"},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"issuerRegExp":{"description":"IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"},"subjectRegExp":{"description":"SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"},"tsaCertChain":{"description":"TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s://<namespace>/<secret_name>\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Deprecated. Use attestor.signatureAlgorithm instead.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}}}}}},"cosignOCI11":{"description":"CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.\nDefaults to false.","type":"boolean"},"failureAction":{"description":"Allowed values are Audit or Enforce.","type":"string","enum":["Audit","Enforce"]},"image":{"description":"Deprecated. Use ImageReferences instead.","type":"string"},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"issuer":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"key":{"description":"Deprecated. Use StaticKeyAttestor instead.","type":"string"},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"roots":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"subject":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","SigstoreBundle","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule.","type":"boolean"},"validate":{"description":"Validation checks conditions across multiple image\nverification attestations or context entries","type":"object","properties":{"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"}}},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}}}},"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"ready":{"description":"Deprecated in favor of Conditions","type":"boolean"},"rulecount":{"description":"RuleCountStatus contains four variables which describes counts for\nvalidate, generate, mutate and verify images rules","type":"object","required":["generate","mutate","validate","verifyimages"],"properties":{"generate":{"description":"Count for generate rules in policy","type":"integer"},"mutate":{"description":"Count for mutate rules in policy","type":"integer"},"validate":{"description":"Count for validate rules in policy","type":"integer"},"verifyimages":{"description":"Count for verify image rules in policy","type":"integer"}}},"validatingadmissionpolicy":{"description":"ValidatingAdmissionPolicy contains status information","type":"object","required":["generated","message"],"properties":{"generated":{"description":"Generated indicates whether a validating admission policy is generated from the policy or not","type":"boolean"},"message":{"description":"Message is a human readable message indicating details about the generation of validating admission policy\nIt is an empty string when validating admission policy is successfully generated.","type":"string"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"Policy","version":"v2beta1"}],"title":"io.kyverno.v2beta1.Policy"},"io.kyverno.v2beta1.PolicyException":{"description":"PolicyException declares resources to be excluded from specified policies.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy exception behaviors.","type":"object","required":["exceptions","match"],"properties":{"background":{"description":"Background controls if exceptions are applied to existing policies during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"},"conditions":{"description":"Conditions are used to determine if a resource applies to the exception by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exceptions":{"description":"Exceptions is a list policy/rules to be excluded","type":"array","items":{"description":"Exception stores infos about a policy and rules","type":"object","required":["policyName","ruleNames"],"properties":{"policyName":{"description":"PolicyName identifies the policy to which the exception is applied.\nThe policy name uses the format <namespace>/<name> unless it\nreferences a ClusterPolicy.","type":"string"},"ruleNames":{"description":"RuleNames identifies the rules to which the exception is applied.","type":"array","items":{"type":"string"}}}}},"match":{"description":"Match defines match clause used to check if a resource applies to the exception","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a  map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"podSecurity":{"description":"PodSecurity specifies the Pod Security Standard controls to be excluded.\nApplicable only to policies that have validate.podSecurity subrule.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"PolicyException","version":"v2beta1"}],"title":"io.kyverno.v2beta1.PolicyException"},"io.kyverno.v2beta1.PolicyExceptionList":{"description":"PolicyExceptionList is a list of PolicyException","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of policyexceptions. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyException"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"PolicyExceptionList","version":"v2beta1"}],"title":"io.kyverno.v2beta1.PolicyExceptionList"},"io.kyverno.v2beta1.PolicyList":{"description":"PolicyList is a list of Policy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of policies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"PolicyList","version":"v2beta1"}],"title":"io.kyverno.v2beta1.PolicyList"},"io.opentelemetry.v1alpha1.Instrumentation":{"type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","properties":{"apacheHttpd":{"type":"object","properties":{"attrs":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"configPath":{"type":"string"},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"image":{"type":"string"},"resourceRequirements":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"version":{"type":"string"},"volumeClaimTemplate":{"type":"object","required":["spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"type":"string"},"volumeAttributesClassName":{"type":"string"},"volumeMode":{"type":"string"},"volumeName":{"type":"string"}}}}},"volumeLimitSize":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"defaults":{"type":"object","properties":{"useLabelsForResourceAttributes":{"type":"boolean"}}},"dotnet":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"image":{"type":"string"},"resourceRequirements":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"volumeClaimTemplate":{"type":"object","required":["spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"type":"string"},"volumeAttributesClassName":{"type":"string"},"volumeMode":{"type":"string"},"volumeName":{"type":"string"}}}}},"volumeLimitSize":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"exporter":{"type":"object","properties":{"endpoint":{"type":"string"},"tls":{"type":"object","properties":{"ca_file":{"type":"string"},"cert_file":{"type":"string"},"configMapName":{"type":"string"},"key_file":{"type":"string"},"secretName":{"type":"string"}}}}},"go":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"image":{"type":"string"},"resourceRequirements":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"volumeClaimTemplate":{"type":"object","required":["spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"type":"string"},"volumeAttributesClassName":{"type":"string"},"volumeMode":{"type":"string"},"volumeName":{"type":"string"}}}}},"volumeLimitSize":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"imagePullPolicy":{"type":"string"},"java":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"extensions":{"type":"array","items":{"type":"object","required":["dir","image"],"properties":{"dir":{"type":"string"},"image":{"type":"string"}}}},"image":{"type":"string"},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"volumeClaimTemplate":{"type":"object","required":["spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"type":"string"},"volumeAttributesClassName":{"type":"string"},"volumeMode":{"type":"string"},"volumeName":{"type":"string"}}}}},"volumeLimitSize":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"nginx":{"type":"object","properties":{"attrs":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"configFile":{"type":"string"},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"image":{"type":"string"},"resourceRequirements":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"volumeClaimTemplate":{"type":"object","required":["spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"type":"string"},"volumeAttributesClassName":{"type":"string"},"volumeMode":{"type":"string"},"volumeName":{"type":"string"}}}}},"volumeLimitSize":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"nodejs":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"image":{"type":"string"},"resourceRequirements":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"volumeClaimTemplate":{"type":"object","required":["spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"type":"string"},"volumeAttributesClassName":{"type":"string"},"volumeMode":{"type":"string"},"volumeName":{"type":"string"}}}}},"volumeLimitSize":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"propagators":{"type":"array","items":{"type":"string","enum":["tracecontext","baggage","b3","b3multi","jaeger","xray","ottrace","none"]}},"python":{"type":"object","properties":{"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"image":{"type":"string"},"resourceRequirements":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"volumeClaimTemplate":{"type":"object","required":["spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"type":"string"},"volumeAttributesClassName":{"type":"string"},"volumeMode":{"type":"string"},"volumeName":{"type":"string"}}}}},"volumeLimitSize":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"resource":{"type":"object","properties":{"addK8sUIDAttributes":{"type":"boolean"},"resourceAttributes":{"type":"object","additionalProperties":{"type":"string"}}}},"sampler":{"type":"object","properties":{"argument":{"type":"string"},"type":{"type":"string","enum":["always_on","always_off","traceidratio","parentbased_always_on","parentbased_always_off","parentbased_traceidratio","jaeger_remote","xray"]}}}}},"status":{"type":"object"}},"x-kubernetes-group-version-kind":[{"group":"opentelemetry.io","kind":"Instrumentation","version":"v1alpha1"}],"title":"io.opentelemetry.v1alpha1.Instrumentation"},"io.opentelemetry.v1alpha1.InstrumentationList":{"description":"InstrumentationList is a list of Instrumentation","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of instrumentations. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.opentelemetry.v1alpha1.Instrumentation"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"opentelemetry.io","kind":"InstrumentationList","version":"v1alpha1"}],"title":"io.opentelemetry.v1alpha1.InstrumentationList"},"io.opentelemetry.v1alpha1.OpAMPBridge":{"type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["capabilities","endpoint"],"properties":{"affinity":{"type":"object","properties":{"nodeAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["preference","weight"],"properties":{"preference":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"type":"array","items":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"capabilities":{"type":"object","additionalProperties":{"type":"boolean"}},"componentsAllowed":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"description":{"type":"object","required":["non_identifying_attributes"],"properties":{"non_identifying_attributes":{"type":"object","additionalProperties":{"type":"string"}}}},"endpoint":{"type":"string"},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"envFrom":{"type":"array","items":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}},"headers":{"type":"object","additionalProperties":{"type":"string"}},"hostNetwork":{"type":"boolean"},"image":{"type":"string"},"imagePullPolicy":{"type":"string"},"ipFamilies":{"type":"array","items":{"type":"string"}},"ipFamilyPolicy":{"type":"string"},"nodeSelector":{"type":"object","additionalProperties":{"type":"string"}},"podAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"podDnsConfig":{"type":"object","properties":{"nameservers":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"options":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"searches":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"podSecurityContext":{"type":"object","properties":{"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"fsGroup":{"type":"integer","format":"int64"},"fsGroupChangePolicy":{"type":"string"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxChangePolicy":{"type":"string"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"supplementalGroups":{"type":"array","items":{"type":"integer","format":"int64"},"x-kubernetes-list-type":"atomic"},"supplementalGroupsPolicy":{"type":"string"},"sysctls":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"ports":{"type":"array","items":{"type":"object","required":["port"],"properties":{"appProtocol":{"type":"string"},"name":{"type":"string"},"nodePort":{"type":"integer","format":"int32"},"port":{"type":"integer","format":"int32"},"protocol":{"type":"string"},"targetPort":{"x-kubernetes-int-or-string":true}}},"x-kubernetes-list-type":"atomic"},"priorityClassName":{"type":"string"},"replicas":{"type":"integer","format":"int32","maximum":1},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"serviceAccount":{"type":"string"},"tolerations":{"type":"array","items":{"type":"object","properties":{"effect":{"type":"string"},"key":{"type":"string"},"operator":{"type":"string"},"tolerationSeconds":{"type":"integer","format":"int64"},"value":{"type":"string"}}}},"topologySpreadConstraints":{"type":"array","items":{"type":"object","required":["maxSkew","topologyKey","whenUnsatisfiable"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"maxSkew":{"type":"integer","format":"int32"},"minDomains":{"type":"integer","format":"int32"},"nodeAffinityPolicy":{"type":"string"},"nodeTaintsPolicy":{"type":"string"},"topologyKey":{"type":"string"},"whenUnsatisfiable":{"type":"string"}}}},"upgradeStrategy":{"type":"string","enum":["automatic","none"]},"volumeMounts":{"type":"array","items":{"type":"object","required":["mountPath","name"],"properties":{"mountPath":{"type":"string"},"mountPropagation":{"type":"string"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"recursiveReadOnly":{"type":"string"},"subPath":{"type":"string"},"subPathExpr":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"volumes":{"type":"array","items":{"type":"object","required":["name"],"properties":{"awsElasticBlockStore":{"type":"object","required":["volumeID"],"properties":{"fsType":{"type":"string"},"partition":{"type":"integer","format":"int32"},"readOnly":{"type":"boolean"},"volumeID":{"type":"string"}}},"azureDisk":{"type":"object","required":["diskName","diskURI"],"properties":{"cachingMode":{"type":"string"},"diskName":{"type":"string"},"diskURI":{"type":"string"},"fsType":{"type":"string"},"kind":{"type":"string"},"readOnly":{"type":"boolean"}}},"azureFile":{"type":"object","required":["secretName","shareName"],"properties":{"readOnly":{"type":"boolean"},"secretName":{"type":"string"},"shareName":{"type":"string"}}},"cephfs":{"type":"object","required":["monitors"],"properties":{"monitors":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"readOnly":{"type":"boolean"},"secretFile":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"type":"string"}}},"cinder":{"type":"object","required":["volumeID"],"properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeID":{"type":"string"}}},"configMap":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"csi":{"type":"object","required":["driver"],"properties":{"driver":{"type":"string"},"fsType":{"type":"string"},"nodePublishSecretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"readOnly":{"type":"boolean"},"volumeAttributes":{"type":"object","additionalProperties":{"type":"string"}}}},"downwardAPI":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"items":{"type":"array","items":{"type":"object","required":["path"],"properties":{"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"emptyDir":{"type":"object","properties":{"medium":{"type":"string"},"sizeLimit":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"ephemeral":{"type":"object","properties":{"volumeClaimTemplate":{"type":"object","required":["spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"type":"string"},"volumeAttributesClassName":{"type":"string"},"volumeMode":{"type":"string"},"volumeName":{"type":"string"}}}}}}},"fc":{"type":"object","properties":{"fsType":{"type":"string"},"lun":{"type":"integer","format":"int32"},"readOnly":{"type":"boolean"},"targetWWNs":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"wwids":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"flexVolume":{"type":"object","required":["driver"],"properties":{"driver":{"type":"string"},"fsType":{"type":"string"},"options":{"type":"object","additionalProperties":{"type":"string"}},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"}}},"flocker":{"type":"object","properties":{"datasetName":{"type":"string"},"datasetUUID":{"type":"string"}}},"gcePersistentDisk":{"type":"object","required":["pdName"],"properties":{"fsType":{"type":"string"},"partition":{"type":"integer","format":"int32"},"pdName":{"type":"string"},"readOnly":{"type":"boolean"}}},"gitRepo":{"type":"object","required":["repository"],"properties":{"directory":{"type":"string"},"repository":{"type":"string"},"revision":{"type":"string"}}},"glusterfs":{"type":"object","required":["endpoints","path"],"properties":{"endpoints":{"type":"string"},"path":{"type":"string"},"readOnly":{"type":"boolean"}}},"hostPath":{"type":"object","required":["path"],"properties":{"path":{"type":"string"},"type":{"type":"string"}}},"image":{"type":"object","properties":{"pullPolicy":{"type":"string"},"reference":{"type":"string"}}},"iscsi":{"type":"object","required":["iqn","lun","targetPortal"],"properties":{"chapAuthDiscovery":{"type":"boolean"},"chapAuthSession":{"type":"boolean"},"fsType":{"type":"string"},"initiatorName":{"type":"string"},"iqn":{"type":"string"},"iscsiInterface":{"type":"string"},"lun":{"type":"integer","format":"int32"},"portals":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"targetPortal":{"type":"string"}}},"name":{"type":"string"},"nfs":{"type":"object","required":["path","server"],"properties":{"path":{"type":"string"},"readOnly":{"type":"boolean"},"server":{"type":"string"}}},"persistentVolumeClaim":{"type":"object","required":["claimName"],"properties":{"claimName":{"type":"string"},"readOnly":{"type":"boolean"}}},"photonPersistentDisk":{"type":"object","required":["pdID"],"properties":{"fsType":{"type":"string"},"pdID":{"type":"string"}}},"portworxVolume":{"type":"object","required":["volumeID"],"properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"volumeID":{"type":"string"}}},"projected":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"sources":{"type":"array","items":{"type":"object","properties":{"clusterTrustBundle":{"type":"object","required":["path"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"signerName":{"type":"string"}}},"configMap":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"downwardAPI":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","required":["path"],"properties":{"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"podCertificate":{"type":"object","required":["keyType","signerName"],"properties":{"certificateChainPath":{"type":"string"},"credentialBundlePath":{"type":"string"},"keyPath":{"type":"string"},"keyType":{"type":"string"},"maxExpirationSeconds":{"type":"integer","format":"int32"},"signerName":{"type":"string"}}},"secret":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"serviceAccountToken":{"type":"object","required":["path"],"properties":{"audience":{"type":"string"},"expirationSeconds":{"type":"integer","format":"int64"},"path":{"type":"string"}}}}},"x-kubernetes-list-type":"atomic"}}},"quobyte":{"type":"object","required":["registry","volume"],"properties":{"group":{"type":"string"},"readOnly":{"type":"boolean"},"registry":{"type":"string"},"tenant":{"type":"string"},"user":{"type":"string"},"volume":{"type":"string"}}},"rbd":{"type":"object","required":["image","monitors"],"properties":{"fsType":{"type":"string"},"image":{"type":"string"},"keyring":{"type":"string"},"monitors":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"pool":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"type":"string"}}},"scaleIO":{"type":"object","required":["gateway","secretRef","system"],"properties":{"fsType":{"type":"string"},"gateway":{"type":"string"},"protectionDomain":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"sslEnabled":{"type":"boolean"},"storageMode":{"type":"string"},"storagePool":{"type":"string"},"system":{"type":"string"},"volumeName":{"type":"string"}}},"secret":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"optional":{"type":"boolean"},"secretName":{"type":"string"}}},"storageos":{"type":"object","properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeName":{"type":"string"},"volumeNamespace":{"type":"string"}}},"vsphereVolume":{"type":"object","required":["volumePath"],"properties":{"fsType":{"type":"string"},"storagePolicyID":{"type":"string"},"storagePolicyName":{"type":"string"},"volumePath":{"type":"string"}}}}},"x-kubernetes-list-type":"atomic"}}},"status":{"type":"object","properties":{"version":{"type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"opentelemetry.io","kind":"OpAMPBridge","version":"v1alpha1"}],"title":"io.opentelemetry.v1alpha1.OpAMPBridge"},"io.opentelemetry.v1alpha1.OpAMPBridgeList":{"description":"OpAMPBridgeList is a list of OpAMPBridge","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of opampbridges. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.opentelemetry.v1alpha1.OpAMPBridge"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"opentelemetry.io","kind":"OpAMPBridgeList","version":"v1alpha1"}],"title":"io.opentelemetry.v1alpha1.OpAMPBridgeList"},"io.opentelemetry.v1alpha1.OpenTelemetryCollector":{"type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["config","managementState"],"properties":{"additionalContainers":{"type":"array","items":{"type":"object","required":["name"],"properties":{"args":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"envFrom":{"type":"array","items":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"image":{"type":"string"},"imagePullPolicy":{"type":"string"},"lifecycle":{"type":"object","properties":{"postStart":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"preStop":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"stopSignal":{"type":"string"}}},"livenessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"name":{"type":"string"},"ports":{"type":"array","items":{"type":"object","required":["containerPort"],"properties":{"containerPort":{"type":"integer","format":"int32"},"hostIP":{"type":"string"},"hostPort":{"type":"integer","format":"int32"},"name":{"type":"string"},"protocol":{"type":"string"}}},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map"},"readinessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"resizePolicy":{"type":"array","items":{"type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"type":"string"},"restartPolicy":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"restartPolicy":{"type":"string"},"restartPolicyRules":{"type":"array","items":{"type":"object","required":["action"],"properties":{"action":{"type":"string"},"exitCodes":{"type":"object","required":["operator"],"properties":{"operator":{"type":"string"},"values":{"type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}}}},"x-kubernetes-list-type":"atomic"},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"startupProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"stdin":{"type":"boolean"},"stdinOnce":{"type":"boolean"},"terminationMessagePath":{"type":"string"},"terminationMessagePolicy":{"type":"string"},"tty":{"type":"boolean"},"volumeDevices":{"type":"array","items":{"type":"object","required":["devicePath","name"],"properties":{"devicePath":{"type":"string"},"name":{"type":"string"}}},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map"},"volumeMounts":{"type":"array","items":{"type":"object","required":["mountPath","name"],"properties":{"mountPath":{"type":"string"},"mountPropagation":{"type":"string"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"recursiveReadOnly":{"type":"string"},"subPath":{"type":"string"},"subPathExpr":{"type":"string"}}},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map"},"workingDir":{"type":"string"}}}},"affinity":{"type":"object","properties":{"nodeAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["preference","weight"],"properties":{"preference":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"type":"array","items":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"args":{"type":"object","additionalProperties":{"type":"string"}},"autoscaler":{"type":"object","properties":{"behavior":{"type":"object","properties":{"scaleDown":{"type":"object","properties":{"policies":{"type":"array","items":{"type":"object","required":["periodSeconds","type","value"],"properties":{"periodSeconds":{"type":"integer","format":"int32"},"type":{"type":"string"},"value":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"selectPolicy":{"type":"string"},"stabilizationWindowSeconds":{"type":"integer","format":"int32"},"tolerance":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"scaleUp":{"type":"object","properties":{"policies":{"type":"array","items":{"type":"object","required":["periodSeconds","type","value"],"properties":{"periodSeconds":{"type":"integer","format":"int32"},"type":{"type":"string"},"value":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"selectPolicy":{"type":"string"},"stabilizationWindowSeconds":{"type":"integer","format":"int32"},"tolerance":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}}},"maxReplicas":{"type":"integer","format":"int32"},"metrics":{"type":"array","items":{"type":"object","required":["type"],"properties":{"pods":{"type":"object","required":["metric","target"],"properties":{"metric":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"target":{"type":"object","required":["type"],"properties":{"averageUtilization":{"type":"integer","format":"int32"},"averageValue":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"type":{"type":"string"},"value":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}}},"type":{"type":"string"}}}},"minReplicas":{"type":"integer","format":"int32"},"targetCPUUtilization":{"type":"integer","format":"int32"},"targetMemoryUtilization":{"type":"integer","format":"int32"}}},"config":{"type":"string"},"configmaps":{"type":"array","items":{"type":"object","required":["mountpath","name"],"properties":{"mountpath":{"type":"string"},"name":{"type":"string"}}}},"deploymentUpdateStrategy":{"type":"object","properties":{"rollingUpdate":{"type":"object","properties":{"maxSurge":{"x-kubernetes-int-or-string":true},"maxUnavailable":{"x-kubernetes-int-or-string":true}}},"type":{"type":"string"}}},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"envFrom":{"type":"array","items":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}},"hostNetwork":{"type":"boolean"},"image":{"type":"string"},"imagePullPolicy":{"type":"string"},"ingress":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"hostname":{"type":"string"},"ingressClassName":{"type":"string"},"route":{"type":"object","properties":{"termination":{"type":"string","enum":["insecure","edge","passthrough","reencrypt"]}}},"ruleType":{"type":"string","enum":["path","subdomain"]},"tls":{"type":"array","items":{"type":"object","properties":{"hosts":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"secretName":{"type":"string"}}}},"type":{"type":"string","enum":["ingress","route"]}}},"initContainers":{"type":"array","items":{"type":"object","required":["name"],"properties":{"args":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"envFrom":{"type":"array","items":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"image":{"type":"string"},"imagePullPolicy":{"type":"string"},"lifecycle":{"type":"object","properties":{"postStart":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"preStop":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"stopSignal":{"type":"string"}}},"livenessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"name":{"type":"string"},"ports":{"type":"array","items":{"type":"object","required":["containerPort"],"properties":{"containerPort":{"type":"integer","format":"int32"},"hostIP":{"type":"string"},"hostPort":{"type":"integer","format":"int32"},"name":{"type":"string"},"protocol":{"type":"string"}}},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map"},"readinessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"resizePolicy":{"type":"array","items":{"type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"type":"string"},"restartPolicy":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"restartPolicy":{"type":"string"},"restartPolicyRules":{"type":"array","items":{"type":"object","required":["action"],"properties":{"action":{"type":"string"},"exitCodes":{"type":"object","required":["operator"],"properties":{"operator":{"type":"string"},"values":{"type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}}}},"x-kubernetes-list-type":"atomic"},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"startupProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"stdin":{"type":"boolean"},"stdinOnce":{"type":"boolean"},"terminationMessagePath":{"type":"string"},"terminationMessagePolicy":{"type":"string"},"tty":{"type":"boolean"},"volumeDevices":{"type":"array","items":{"type":"object","required":["devicePath","name"],"properties":{"devicePath":{"type":"string"},"name":{"type":"string"}}},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map"},"volumeMounts":{"type":"array","items":{"type":"object","required":["mountPath","name"],"properties":{"mountPath":{"type":"string"},"mountPropagation":{"type":"string"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"recursiveReadOnly":{"type":"string"},"subPath":{"type":"string"},"subPathExpr":{"type":"string"}}},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map"},"workingDir":{"type":"string"}}}},"lifecycle":{"type":"object","properties":{"postStart":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"preStop":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"stopSignal":{"type":"string"}}},"livenessProbe":{"type":"object","properties":{"failureThreshold":{"type":"integer","format":"int32"},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"managementState":{"type":"string","enum":["managed","unmanaged"]},"maxReplicas":{"type":"integer","format":"int32"},"minReplicas":{"type":"integer","format":"int32"},"mode":{"type":"string","enum":["daemonset","deployment","sidecar","statefulset"]},"nodeSelector":{"type":"object","additionalProperties":{"type":"string"}},"observability":{"type":"object","properties":{"metrics":{"type":"object","properties":{"DisablePrometheusAnnotations":{"type":"boolean"},"enableMetrics":{"type":"boolean"}}}}},"podAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"podDisruptionBudget":{"type":"object","properties":{"maxUnavailable":{"x-kubernetes-int-or-string":true},"minAvailable":{"x-kubernetes-int-or-string":true}}},"podSecurityContext":{"type":"object","properties":{"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"fsGroup":{"type":"integer","format":"int64"},"fsGroupChangePolicy":{"type":"string"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxChangePolicy":{"type":"string"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"supplementalGroups":{"type":"array","items":{"type":"integer","format":"int64"},"x-kubernetes-list-type":"atomic"},"supplementalGroupsPolicy":{"type":"string"},"sysctls":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"ports":{"type":"array","items":{"type":"object","required":["port"],"properties":{"appProtocol":{"type":"string"},"hostPort":{"type":"integer","format":"int32"},"name":{"type":"string"},"nodePort":{"type":"integer","format":"int32"},"port":{"type":"integer","format":"int32"},"protocol":{"type":"string"},"targetPort":{"x-kubernetes-int-or-string":true}}},"x-kubernetes-list-type":"atomic"},"priorityClassName":{"type":"string"},"replicas":{"type":"integer","format":"int32"},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"serviceAccount":{"type":"string"},"serviceName":{"type":"string"},"shareProcessNamespace":{"type":"boolean"},"targetAllocator":{"type":"object","properties":{"affinity":{"type":"object","properties":{"nodeAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["preference","weight"],"properties":{"preference":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"type":"array","items":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"allocationStrategy":{"type":"string","enum":["least-weighted","consistent-hashing","per-node"]},"enabled":{"type":"boolean"},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"filterStrategy":{"type":"string"},"image":{"type":"string"},"nodeSelector":{"type":"object","additionalProperties":{"type":"string"}},"observability":{"type":"object","properties":{"metrics":{"type":"object","properties":{"DisablePrometheusAnnotations":{"type":"boolean"},"enableMetrics":{"type":"boolean"}}}}},"podDisruptionBudget":{"type":"object","properties":{"maxUnavailable":{"x-kubernetes-int-or-string":true},"minAvailable":{"x-kubernetes-int-or-string":true}}},"podSecurityContext":{"type":"object","properties":{"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"fsGroup":{"type":"integer","format":"int64"},"fsGroupChangePolicy":{"type":"string"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxChangePolicy":{"type":"string"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"supplementalGroups":{"type":"array","items":{"type":"integer","format":"int64"},"x-kubernetes-list-type":"atomic"},"supplementalGroupsPolicy":{"type":"string"},"sysctls":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"prometheusCR":{"type":"object","properties":{"enabled":{"type":"boolean"},"podMonitorSelector":{"type":"object","additionalProperties":{"type":"string"}},"scrapeClasses":{"x-kubernetes-list-type":"atomic","x-kubernetes-preserve-unknown-fields":true},"scrapeInterval":{"type":"string","format":"duration"},"serviceMonitorSelector":{"type":"object","additionalProperties":{"type":"string"}}}},"replicas":{"type":"integer","format":"int32"},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"serviceAccount":{"type":"string"},"tolerations":{"type":"array","items":{"type":"object","properties":{"effect":{"type":"string"},"key":{"type":"string"},"operator":{"type":"string"},"tolerationSeconds":{"type":"integer","format":"int64"},"value":{"type":"string"}}}},"topologySpreadConstraints":{"type":"array","items":{"type":"object","required":["maxSkew","topologyKey","whenUnsatisfiable"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"maxSkew":{"type":"integer","format":"int32"},"minDomains":{"type":"integer","format":"int32"},"nodeAffinityPolicy":{"type":"string"},"nodeTaintsPolicy":{"type":"string"},"topologyKey":{"type":"string"},"whenUnsatisfiable":{"type":"string"}}}}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"tolerations":{"type":"array","items":{"type":"object","properties":{"effect":{"type":"string"},"key":{"type":"string"},"operator":{"type":"string"},"tolerationSeconds":{"type":"integer","format":"int64"},"value":{"type":"string"}}}},"topologySpreadConstraints":{"type":"array","items":{"type":"object","required":["maxSkew","topologyKey","whenUnsatisfiable"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"maxSkew":{"type":"integer","format":"int32"},"minDomains":{"type":"integer","format":"int32"},"nodeAffinityPolicy":{"type":"string"},"nodeTaintsPolicy":{"type":"string"},"topologyKey":{"type":"string"},"whenUnsatisfiable":{"type":"string"}}}},"trafficDistribution":{"type":"string"},"updateStrategy":{"type":"object","properties":{"rollingUpdate":{"type":"object","properties":{"maxSurge":{"x-kubernetes-int-or-string":true},"maxUnavailable":{"x-kubernetes-int-or-string":true}}},"type":{"type":"string"}}},"upgradeStrategy":{"type":"string","enum":["automatic","none"]},"volumeClaimTemplates":{"type":"array","items":{"type":"object","properties":{"apiVersion":{"type":"string"},"kind":{"type":"string"},"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"type":"string"},"volumeAttributesClassName":{"type":"string"},"volumeMode":{"type":"string"},"volumeName":{"type":"string"}}},"status":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"allocatedResourceStatuses":{"type":"object","additionalProperties":{"type":"string"},"x-kubernetes-map-type":"granular"},"allocatedResources":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"capacity":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"conditions":{"type":"array","items":{"type":"object","required":["status","type"],"properties":{"lastProbeTime":{"type":"string","format":"date-time"},"lastTransitionTime":{"type":"string","format":"date-time"},"message":{"type":"string"},"reason":{"type":"string"},"status":{"type":"string"},"type":{"type":"string"}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"currentVolumeAttributesClassName":{"type":"string"},"modifyVolumeStatus":{"type":"object","required":["status"],"properties":{"status":{"type":"string"},"targetVolumeAttributesClassName":{"type":"string"}}},"phase":{"type":"string"}}}}},"x-kubernetes-list-type":"atomic"},"volumeMounts":{"type":"array","items":{"type":"object","required":["mountPath","name"],"properties":{"mountPath":{"type":"string"},"mountPropagation":{"type":"string"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"recursiveReadOnly":{"type":"string"},"subPath":{"type":"string"},"subPathExpr":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"volumes":{"type":"array","items":{"type":"object","required":["name"],"properties":{"awsElasticBlockStore":{"type":"object","required":["volumeID"],"properties":{"fsType":{"type":"string"},"partition":{"type":"integer","format":"int32"},"readOnly":{"type":"boolean"},"volumeID":{"type":"string"}}},"azureDisk":{"type":"object","required":["diskName","diskURI"],"properties":{"cachingMode":{"type":"string"},"diskName":{"type":"string"},"diskURI":{"type":"string"},"fsType":{"type":"string"},"kind":{"type":"string"},"readOnly":{"type":"boolean"}}},"azureFile":{"type":"object","required":["secretName","shareName"],"properties":{"readOnly":{"type":"boolean"},"secretName":{"type":"string"},"shareName":{"type":"string"}}},"cephfs":{"type":"object","required":["monitors"],"properties":{"monitors":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"readOnly":{"type":"boolean"},"secretFile":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"type":"string"}}},"cinder":{"type":"object","required":["volumeID"],"properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeID":{"type":"string"}}},"configMap":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"csi":{"type":"object","required":["driver"],"properties":{"driver":{"type":"string"},"fsType":{"type":"string"},"nodePublishSecretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"readOnly":{"type":"boolean"},"volumeAttributes":{"type":"object","additionalProperties":{"type":"string"}}}},"downwardAPI":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"items":{"type":"array","items":{"type":"object","required":["path"],"properties":{"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"emptyDir":{"type":"object","properties":{"medium":{"type":"string"},"sizeLimit":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"ephemeral":{"type":"object","properties":{"volumeClaimTemplate":{"type":"object","required":["spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"type":"string"},"volumeAttributesClassName":{"type":"string"},"volumeMode":{"type":"string"},"volumeName":{"type":"string"}}}}}}},"fc":{"type":"object","properties":{"fsType":{"type":"string"},"lun":{"type":"integer","format":"int32"},"readOnly":{"type":"boolean"},"targetWWNs":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"wwids":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"flexVolume":{"type":"object","required":["driver"],"properties":{"driver":{"type":"string"},"fsType":{"type":"string"},"options":{"type":"object","additionalProperties":{"type":"string"}},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"}}},"flocker":{"type":"object","properties":{"datasetName":{"type":"string"},"datasetUUID":{"type":"string"}}},"gcePersistentDisk":{"type":"object","required":["pdName"],"properties":{"fsType":{"type":"string"},"partition":{"type":"integer","format":"int32"},"pdName":{"type":"string"},"readOnly":{"type":"boolean"}}},"gitRepo":{"type":"object","required":["repository"],"properties":{"directory":{"type":"string"},"repository":{"type":"string"},"revision":{"type":"string"}}},"glusterfs":{"type":"object","required":["endpoints","path"],"properties":{"endpoints":{"type":"string"},"path":{"type":"string"},"readOnly":{"type":"boolean"}}},"hostPath":{"type":"object","required":["path"],"properties":{"path":{"type":"string"},"type":{"type":"string"}}},"image":{"type":"object","properties":{"pullPolicy":{"type":"string"},"reference":{"type":"string"}}},"iscsi":{"type":"object","required":["iqn","lun","targetPortal"],"properties":{"chapAuthDiscovery":{"type":"boolean"},"chapAuthSession":{"type":"boolean"},"fsType":{"type":"string"},"initiatorName":{"type":"string"},"iqn":{"type":"string"},"iscsiInterface":{"type":"string"},"lun":{"type":"integer","format":"int32"},"portals":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"targetPortal":{"type":"string"}}},"name":{"type":"string"},"nfs":{"type":"object","required":["path","server"],"properties":{"path":{"type":"string"},"readOnly":{"type":"boolean"},"server":{"type":"string"}}},"persistentVolumeClaim":{"type":"object","required":["claimName"],"properties":{"claimName":{"type":"string"},"readOnly":{"type":"boolean"}}},"photonPersistentDisk":{"type":"object","required":["pdID"],"properties":{"fsType":{"type":"string"},"pdID":{"type":"string"}}},"portworxVolume":{"type":"object","required":["volumeID"],"properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"volumeID":{"type":"string"}}},"projected":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"sources":{"type":"array","items":{"type":"object","properties":{"clusterTrustBundle":{"type":"object","required":["path"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"signerName":{"type":"string"}}},"configMap":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"downwardAPI":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","required":["path"],"properties":{"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"podCertificate":{"type":"object","required":["keyType","signerName"],"properties":{"certificateChainPath":{"type":"string"},"credentialBundlePath":{"type":"string"},"keyPath":{"type":"string"},"keyType":{"type":"string"},"maxExpirationSeconds":{"type":"integer","format":"int32"},"signerName":{"type":"string"}}},"secret":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"serviceAccountToken":{"type":"object","required":["path"],"properties":{"audience":{"type":"string"},"expirationSeconds":{"type":"integer","format":"int64"},"path":{"type":"string"}}}}},"x-kubernetes-list-type":"atomic"}}},"quobyte":{"type":"object","required":["registry","volume"],"properties":{"group":{"type":"string"},"readOnly":{"type":"boolean"},"registry":{"type":"string"},"tenant":{"type":"string"},"user":{"type":"string"},"volume":{"type":"string"}}},"rbd":{"type":"object","required":["image","monitors"],"properties":{"fsType":{"type":"string"},"image":{"type":"string"},"keyring":{"type":"string"},"monitors":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"pool":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"type":"string"}}},"scaleIO":{"type":"object","required":["gateway","secretRef","system"],"properties":{"fsType":{"type":"string"},"gateway":{"type":"string"},"protectionDomain":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"sslEnabled":{"type":"boolean"},"storageMode":{"type":"string"},"storagePool":{"type":"string"},"system":{"type":"string"},"volumeName":{"type":"string"}}},"secret":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"optional":{"type":"boolean"},"secretName":{"type":"string"}}},"storageos":{"type":"object","properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeName":{"type":"string"},"volumeNamespace":{"type":"string"}}},"vsphereVolume":{"type":"object","required":["volumePath"],"properties":{"fsType":{"type":"string"},"storagePolicyID":{"type":"string"},"storagePolicyName":{"type":"string"},"volumePath":{"type":"string"}}}}},"x-kubernetes-list-type":"atomic"}}},"status":{"type":"object","properties":{"image":{"type":"string"},"messages":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"replicas":{"type":"integer","format":"int32"},"scale":{"type":"object","properties":{"replicas":{"type":"integer","format":"int32"},"selector":{"type":"string"},"statusReplicas":{"type":"string"}}},"version":{"type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"opentelemetry.io","kind":"OpenTelemetryCollector","version":"v1alpha1"}],"title":"io.opentelemetry.v1alpha1.OpenTelemetryCollector"},"io.opentelemetry.v1alpha1.OpenTelemetryCollectorList":{"description":"OpenTelemetryCollectorList is a list of OpenTelemetryCollector","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of opentelemetrycollectors. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.opentelemetry.v1alpha1.OpenTelemetryCollector"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"opentelemetry.io","kind":"OpenTelemetryCollectorList","version":"v1alpha1"}],"title":"io.opentelemetry.v1alpha1.OpenTelemetryCollectorList"},"io.opentelemetry.v1alpha1.TargetAllocator":{"type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","properties":{"additionalContainers":{"type":"array","items":{"type":"object","required":["name"],"properties":{"args":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"envFrom":{"type":"array","items":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"image":{"type":"string"},"imagePullPolicy":{"type":"string"},"lifecycle":{"type":"object","properties":{"postStart":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"preStop":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"stopSignal":{"type":"string"}}},"livenessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"name":{"type":"string"},"ports":{"type":"array","items":{"type":"object","required":["containerPort"],"properties":{"containerPort":{"type":"integer","format":"int32"},"hostIP":{"type":"string"},"hostPort":{"type":"integer","format":"int32"},"name":{"type":"string"},"protocol":{"type":"string"}}},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map"},"readinessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"resizePolicy":{"type":"array","items":{"type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"type":"string"},"restartPolicy":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"restartPolicy":{"type":"string"},"restartPolicyRules":{"type":"array","items":{"type":"object","required":["action"],"properties":{"action":{"type":"string"},"exitCodes":{"type":"object","required":["operator"],"properties":{"operator":{"type":"string"},"values":{"type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}}}},"x-kubernetes-list-type":"atomic"},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"startupProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"stdin":{"type":"boolean"},"stdinOnce":{"type":"boolean"},"terminationMessagePath":{"type":"string"},"terminationMessagePolicy":{"type":"string"},"tty":{"type":"boolean"},"volumeDevices":{"type":"array","items":{"type":"object","required":["devicePath","name"],"properties":{"devicePath":{"type":"string"},"name":{"type":"string"}}},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map"},"volumeMounts":{"type":"array","items":{"type":"object","required":["mountPath","name"],"properties":{"mountPath":{"type":"string"},"mountPropagation":{"type":"string"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"recursiveReadOnly":{"type":"string"},"subPath":{"type":"string"},"subPathExpr":{"type":"string"}}},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map"},"workingDir":{"type":"string"}}}},"affinity":{"type":"object","properties":{"nodeAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["preference","weight"],"properties":{"preference":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"type":"array","items":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"allocationStrategy":{"type":"string","enum":["least-weighted","consistent-hashing","per-node"]},"args":{"type":"object","additionalProperties":{"type":"string"}},"collectorNotReadyGracePeriod":{"type":"string","format":"duration"},"dnsPolicy":{"type":"string"},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"envFrom":{"type":"array","items":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}},"filterStrategy":{"type":"string","enum":["","relabel-config"]},"global":{"type":"object"},"hostNetwork":{"type":"boolean"},"hostPID":{"type":"boolean"},"hostUsers":{"type":"boolean"},"image":{"type":"string"},"imagePullPolicy":{"type":"string"},"initContainers":{"type":"array","items":{"type":"object","required":["name"],"properties":{"args":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"envFrom":{"type":"array","items":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"image":{"type":"string"},"imagePullPolicy":{"type":"string"},"lifecycle":{"type":"object","properties":{"postStart":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"preStop":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"stopSignal":{"type":"string"}}},"livenessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"name":{"type":"string"},"ports":{"type":"array","items":{"type":"object","required":["containerPort"],"properties":{"containerPort":{"type":"integer","format":"int32"},"hostIP":{"type":"string"},"hostPort":{"type":"integer","format":"int32"},"name":{"type":"string"},"protocol":{"type":"string"}}},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map"},"readinessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"resizePolicy":{"type":"array","items":{"type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"type":"string"},"restartPolicy":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"restartPolicy":{"type":"string"},"restartPolicyRules":{"type":"array","items":{"type":"object","required":["action"],"properties":{"action":{"type":"string"},"exitCodes":{"type":"object","required":["operator"],"properties":{"operator":{"type":"string"},"values":{"type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}}}},"x-kubernetes-list-type":"atomic"},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"startupProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"stdin":{"type":"boolean"},"stdinOnce":{"type":"boolean"},"terminationMessagePath":{"type":"string"},"terminationMessagePolicy":{"type":"string"},"tty":{"type":"boolean"},"volumeDevices":{"type":"array","items":{"type":"object","required":["devicePath","name"],"properties":{"devicePath":{"type":"string"},"name":{"type":"string"}}},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map"},"volumeMounts":{"type":"array","items":{"type":"object","required":["mountPath","name"],"properties":{"mountPath":{"type":"string"},"mountPropagation":{"type":"string"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"recursiveReadOnly":{"type":"string"},"subPath":{"type":"string"},"subPathExpr":{"type":"string"}}},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map"},"workingDir":{"type":"string"}}}},"ipFamilies":{"type":"array","items":{"type":"string"}},"ipFamilyPolicy":{"type":"string"},"lifecycle":{"type":"object","properties":{"postStart":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"preStop":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"stopSignal":{"type":"string"}}},"livenessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"managementState":{"type":"string","enum":["managed","unmanaged"]},"networkPolicy":{"type":"object","properties":{"enabled":{"type":"boolean"}}},"nodeSelector":{"type":"object","additionalProperties":{"type":"string"}},"observability":{"type":"object","properties":{"metrics":{"type":"object","properties":{"disablePrometheusAnnotations":{"type":"boolean"},"enableMetrics":{"type":"boolean"},"extraLabels":{"type":"object","additionalProperties":{"type":"string"}}}}}},"podAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"podDisruptionBudget":{"type":"object","properties":{"maxUnavailable":{"x-kubernetes-int-or-string":true},"minAvailable":{"x-kubernetes-int-or-string":true}}},"podDnsConfig":{"type":"object","properties":{"nameservers":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"options":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"searches":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"podSecurityContext":{"type":"object","properties":{"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"fsGroup":{"type":"integer","format":"int64"},"fsGroupChangePolicy":{"type":"string"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxChangePolicy":{"type":"string"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"supplementalGroups":{"type":"array","items":{"type":"integer","format":"int64"},"x-kubernetes-list-type":"atomic"},"supplementalGroupsPolicy":{"type":"string"},"sysctls":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"ports":{"type":"array","items":{"type":"object","required":["port"],"properties":{"appProtocol":{"type":"string"},"hostPort":{"type":"integer","format":"int32","maximum":65535,"minimum":0},"name":{"type":"string"},"nodePort":{"type":"integer","format":"int32"},"port":{"type":"integer","format":"int32"},"protocol":{"type":"string"},"targetPort":{"x-kubernetes-int-or-string":true}}},"x-kubernetes-list-type":"atomic"},"priorityClassName":{"type":"string"},"prometheusCR":{"type":"object","properties":{"allowNamespaces":{"type":"array","items":{"type":"string"}},"denyNamespaces":{"type":"array","items":{"type":"string"}},"enabled":{"type":"boolean"},"evaluationInterval":{"type":"string","format":"duration"},"podMonitorNamespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"podMonitorSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"probeNamespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"probeSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"scrapeClasses":{"x-kubernetes-list-type":"atomic","x-kubernetes-preserve-unknown-fields":true},"scrapeConfigNamespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"scrapeConfigSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"scrapeInterval":{"type":"string","format":"duration"},"scrapeProtocols":{"type":"array","items":{"type":"string"}},"serviceMonitorNamespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"serviceMonitorSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"readinessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"replicas":{"type":"integer","format":"int32"},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"scrapeConfigs":{"x-kubernetes-list-type":"atomic","x-kubernetes-preserve-unknown-fields":true},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"serviceAccount":{"type":"string"},"shareProcessNamespace":{"type":"boolean"},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"tolerations":{"type":"array","items":{"type":"object","properties":{"effect":{"type":"string"},"key":{"type":"string"},"operator":{"type":"string"},"tolerationSeconds":{"type":"integer","format":"int64"},"value":{"type":"string"}}}},"topologySpreadConstraints":{"type":"array","items":{"type":"object","required":["maxSkew","topologyKey","whenUnsatisfiable"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"maxSkew":{"type":"integer","format":"int32"},"minDomains":{"type":"integer","format":"int32"},"nodeAffinityPolicy":{"type":"string"},"nodeTaintsPolicy":{"type":"string"},"topologyKey":{"type":"string"},"whenUnsatisfiable":{"type":"string"}}}},"trafficDistribution":{"type":"string"},"volumeMounts":{"type":"array","items":{"type":"object","required":["mountPath","name"],"properties":{"mountPath":{"type":"string"},"mountPropagation":{"type":"string"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"recursiveReadOnly":{"type":"string"},"subPath":{"type":"string"},"subPathExpr":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"volumes":{"type":"array","items":{"type":"object","required":["name"],"properties":{"awsElasticBlockStore":{"type":"object","required":["volumeID"],"properties":{"fsType":{"type":"string"},"partition":{"type":"integer","format":"int32"},"readOnly":{"type":"boolean"},"volumeID":{"type":"string"}}},"azureDisk":{"type":"object","required":["diskName","diskURI"],"properties":{"cachingMode":{"type":"string"},"diskName":{"type":"string"},"diskURI":{"type":"string"},"fsType":{"type":"string"},"kind":{"type":"string"},"readOnly":{"type":"boolean"}}},"azureFile":{"type":"object","required":["secretName","shareName"],"properties":{"readOnly":{"type":"boolean"},"secretName":{"type":"string"},"shareName":{"type":"string"}}},"cephfs":{"type":"object","required":["monitors"],"properties":{"monitors":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"readOnly":{"type":"boolean"},"secretFile":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"type":"string"}}},"cinder":{"type":"object","required":["volumeID"],"properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeID":{"type":"string"}}},"configMap":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"csi":{"type":"object","required":["driver"],"properties":{"driver":{"type":"string"},"fsType":{"type":"string"},"nodePublishSecretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"readOnly":{"type":"boolean"},"volumeAttributes":{"type":"object","additionalProperties":{"type":"string"}}}},"downwardAPI":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"items":{"type":"array","items":{"type":"object","required":["path"],"properties":{"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"emptyDir":{"type":"object","properties":{"medium":{"type":"string"},"sizeLimit":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"ephemeral":{"type":"object","properties":{"volumeClaimTemplate":{"type":"object","required":["spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"type":"string"},"volumeAttributesClassName":{"type":"string"},"volumeMode":{"type":"string"},"volumeName":{"type":"string"}}}}}}},"fc":{"type":"object","properties":{"fsType":{"type":"string"},"lun":{"type":"integer","format":"int32"},"readOnly":{"type":"boolean"},"targetWWNs":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"wwids":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"flexVolume":{"type":"object","required":["driver"],"properties":{"driver":{"type":"string"},"fsType":{"type":"string"},"options":{"type":"object","additionalProperties":{"type":"string"}},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"}}},"flocker":{"type":"object","properties":{"datasetName":{"type":"string"},"datasetUUID":{"type":"string"}}},"gcePersistentDisk":{"type":"object","required":["pdName"],"properties":{"fsType":{"type":"string"},"partition":{"type":"integer","format":"int32"},"pdName":{"type":"string"},"readOnly":{"type":"boolean"}}},"gitRepo":{"type":"object","required":["repository"],"properties":{"directory":{"type":"string"},"repository":{"type":"string"},"revision":{"type":"string"}}},"glusterfs":{"type":"object","required":["endpoints","path"],"properties":{"endpoints":{"type":"string"},"path":{"type":"string"},"readOnly":{"type":"boolean"}}},"hostPath":{"type":"object","required":["path"],"properties":{"path":{"type":"string"},"type":{"type":"string"}}},"image":{"type":"object","properties":{"pullPolicy":{"type":"string"},"reference":{"type":"string"}}},"iscsi":{"type":"object","required":["iqn","lun","targetPortal"],"properties":{"chapAuthDiscovery":{"type":"boolean"},"chapAuthSession":{"type":"boolean"},"fsType":{"type":"string"},"initiatorName":{"type":"string"},"iqn":{"type":"string"},"iscsiInterface":{"type":"string"},"lun":{"type":"integer","format":"int32"},"portals":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"targetPortal":{"type":"string"}}},"name":{"type":"string"},"nfs":{"type":"object","required":["path","server"],"properties":{"path":{"type":"string"},"readOnly":{"type":"boolean"},"server":{"type":"string"}}},"persistentVolumeClaim":{"type":"object","required":["claimName"],"properties":{"claimName":{"type":"string"},"readOnly":{"type":"boolean"}}},"photonPersistentDisk":{"type":"object","required":["pdID"],"properties":{"fsType":{"type":"string"},"pdID":{"type":"string"}}},"portworxVolume":{"type":"object","required":["volumeID"],"properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"volumeID":{"type":"string"}}},"projected":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"sources":{"type":"array","items":{"type":"object","properties":{"clusterTrustBundle":{"type":"object","required":["path"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"signerName":{"type":"string"}}},"configMap":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"downwardAPI":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","required":["path"],"properties":{"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"podCertificate":{"type":"object","required":["keyType","signerName"],"properties":{"certificateChainPath":{"type":"string"},"credentialBundlePath":{"type":"string"},"keyPath":{"type":"string"},"keyType":{"type":"string"},"maxExpirationSeconds":{"type":"integer","format":"int32"},"signerName":{"type":"string"}}},"secret":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"serviceAccountToken":{"type":"object","required":["path"],"properties":{"audience":{"type":"string"},"expirationSeconds":{"type":"integer","format":"int64"},"path":{"type":"string"}}}}},"x-kubernetes-list-type":"atomic"}}},"quobyte":{"type":"object","required":["registry","volume"],"properties":{"group":{"type":"string"},"readOnly":{"type":"boolean"},"registry":{"type":"string"},"tenant":{"type":"string"},"user":{"type":"string"},"volume":{"type":"string"}}},"rbd":{"type":"object","required":["image","monitors"],"properties":{"fsType":{"type":"string"},"image":{"type":"string"},"keyring":{"type":"string"},"monitors":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"pool":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"type":"string"}}},"scaleIO":{"type":"object","required":["gateway","secretRef","system"],"properties":{"fsType":{"type":"string"},"gateway":{"type":"string"},"protectionDomain":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"sslEnabled":{"type":"boolean"},"storageMode":{"type":"string"},"storagePool":{"type":"string"},"system":{"type":"string"},"volumeName":{"type":"string"}}},"secret":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"optional":{"type":"boolean"},"secretName":{"type":"string"}}},"storageos":{"type":"object","properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeName":{"type":"string"},"volumeNamespace":{"type":"string"}}},"vsphereVolume":{"type":"object","required":["volumePath"],"properties":{"fsType":{"type":"string"},"storagePolicyID":{"type":"string"},"storagePolicyName":{"type":"string"},"volumePath":{"type":"string"}}}}},"x-kubernetes-list-type":"atomic"}}},"status":{"type":"object","properties":{"image":{"type":"string"},"version":{"type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"opentelemetry.io","kind":"TargetAllocator","version":"v1alpha1"}],"title":"io.opentelemetry.v1alpha1.TargetAllocator"},"io.opentelemetry.v1alpha1.TargetAllocatorList":{"description":"TargetAllocatorList is a list of TargetAllocator","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of targetallocators. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.opentelemetry.v1alpha1.TargetAllocator"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"opentelemetry.io","kind":"TargetAllocatorList","version":"v1alpha1"}],"title":"io.opentelemetry.v1alpha1.TargetAllocatorList"},"io.opentelemetry.v1beta1.OpenTelemetryCollector":{"type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["config"],"properties":{"additionalContainers":{"type":"array","items":{"type":"object","required":["name"],"properties":{"args":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"envFrom":{"type":"array","items":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"image":{"type":"string"},"imagePullPolicy":{"type":"string"},"lifecycle":{"type":"object","properties":{"postStart":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"preStop":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"stopSignal":{"type":"string"}}},"livenessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"name":{"type":"string"},"ports":{"type":"array","items":{"type":"object","required":["containerPort"],"properties":{"containerPort":{"type":"integer","format":"int32"},"hostIP":{"type":"string"},"hostPort":{"type":"integer","format":"int32"},"name":{"type":"string"},"protocol":{"type":"string"}}},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map"},"readinessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"resizePolicy":{"type":"array","items":{"type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"type":"string"},"restartPolicy":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"restartPolicy":{"type":"string"},"restartPolicyRules":{"type":"array","items":{"type":"object","required":["action"],"properties":{"action":{"type":"string"},"exitCodes":{"type":"object","required":["operator"],"properties":{"operator":{"type":"string"},"values":{"type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}}}},"x-kubernetes-list-type":"atomic"},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"startupProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"stdin":{"type":"boolean"},"stdinOnce":{"type":"boolean"},"terminationMessagePath":{"type":"string"},"terminationMessagePolicy":{"type":"string"},"tty":{"type":"boolean"},"volumeDevices":{"type":"array","items":{"type":"object","required":["devicePath","name"],"properties":{"devicePath":{"type":"string"},"name":{"type":"string"}}},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map"},"volumeMounts":{"type":"array","items":{"type":"object","required":["mountPath","name"],"properties":{"mountPath":{"type":"string"},"mountPropagation":{"type":"string"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"recursiveReadOnly":{"type":"string"},"subPath":{"type":"string"},"subPathExpr":{"type":"string"}}},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map"},"workingDir":{"type":"string"}}}},"affinity":{"type":"object","properties":{"nodeAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["preference","weight"],"properties":{"preference":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"type":"array","items":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"args":{"type":"object","additionalProperties":{"type":"string"}},"autoscaler":{"type":"object","properties":{"behavior":{"type":"object","properties":{"scaleDown":{"type":"object","properties":{"policies":{"type":"array","items":{"type":"object","required":["periodSeconds","type","value"],"properties":{"periodSeconds":{"type":"integer","format":"int32"},"type":{"type":"string"},"value":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"selectPolicy":{"type":"string"},"stabilizationWindowSeconds":{"type":"integer","format":"int32"},"tolerance":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"scaleUp":{"type":"object","properties":{"policies":{"type":"array","items":{"type":"object","required":["periodSeconds","type","value"],"properties":{"periodSeconds":{"type":"integer","format":"int32"},"type":{"type":"string"},"value":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"selectPolicy":{"type":"string"},"stabilizationWindowSeconds":{"type":"integer","format":"int32"},"tolerance":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}}},"maxReplicas":{"type":"integer","format":"int32","minimum":1},"metrics":{"type":"array","items":{"type":"object","required":["type"],"properties":{"pods":{"type":"object","required":["metric","target"],"properties":{"metric":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"target":{"type":"object","required":["type"],"properties":{"averageUtilization":{"type":"integer","format":"int32"},"averageValue":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"type":{"type":"string"},"value":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}}},"type":{"type":"string"}}}},"minReplicas":{"type":"integer","format":"int32","minimum":1},"targetCPUUtilization":{"type":"integer","format":"int32","minimum":1},"targetMemoryUtilization":{"type":"integer","format":"int32","minimum":1}}},"config":{"required":["exporters","receivers","service"],"x-kubernetes-preserve-unknown-fields":true},"configVersions":{"type":"integer","minimum":1},"configmaps":{"type":"array","items":{"type":"object","required":["mountpath","name"],"properties":{"mountpath":{"type":"string"},"name":{"type":"string"}}}},"daemonSetUpdateStrategy":{"type":"object","properties":{"rollingUpdate":{"type":"object","properties":{"maxSurge":{"x-kubernetes-int-or-string":true},"maxUnavailable":{"x-kubernetes-int-or-string":true}}},"type":{"type":"string"}}},"deploymentUpdateStrategy":{"type":"object","properties":{"rollingUpdate":{"type":"object","properties":{"maxSurge":{"x-kubernetes-int-or-string":true},"maxUnavailable":{"x-kubernetes-int-or-string":true}}},"type":{"type":"string"}}},"dnsPolicy":{"type":"string"},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"envFrom":{"type":"array","items":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}},"hostNetwork":{"type":"boolean"},"hostPID":{"type":"boolean"},"hostUsers":{"type":"boolean"},"image":{"type":"string"},"imagePullPolicy":{"type":"string"},"ingress":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"hostname":{"type":"string"},"ingressClassName":{"type":"string"},"route":{"type":"object","properties":{"termination":{"type":"string","enum":["insecure","edge","passthrough","reencrypt"]}}},"ruleType":{"type":"string","enum":["path","subdomain"]},"tls":{"type":"array","items":{"type":"object","properties":{"hosts":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"secretName":{"type":"string"}}}},"type":{"type":"string","enum":["ingress","route"]}}},"initContainers":{"type":"array","items":{"type":"object","required":["name"],"properties":{"args":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"envFrom":{"type":"array","items":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"prefix":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"image":{"type":"string"},"imagePullPolicy":{"type":"string"},"lifecycle":{"type":"object","properties":{"postStart":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"preStop":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"stopSignal":{"type":"string"}}},"livenessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"name":{"type":"string"},"ports":{"type":"array","items":{"type":"object","required":["containerPort"],"properties":{"containerPort":{"type":"integer","format":"int32"},"hostIP":{"type":"string"},"hostPort":{"type":"integer","format":"int32"},"name":{"type":"string"},"protocol":{"type":"string"}}},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map"},"readinessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"resizePolicy":{"type":"array","items":{"type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"type":"string"},"restartPolicy":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"restartPolicy":{"type":"string"},"restartPolicyRules":{"type":"array","items":{"type":"object","required":["action"],"properties":{"action":{"type":"string"},"exitCodes":{"type":"object","required":["operator"],"properties":{"operator":{"type":"string"},"values":{"type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}}}},"x-kubernetes-list-type":"atomic"},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"startupProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"failureThreshold":{"type":"integer","format":"int32"},"grpc":{"type":"object","required":["port"],"properties":{"port":{"type":"integer","format":"int32"},"service":{"type":"string"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer","format":"int32"},"periodSeconds":{"type":"integer","format":"int32"},"successThreshold":{"type":"integer","format":"int32"},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"timeoutSeconds":{"type":"integer","format":"int32"}}},"stdin":{"type":"boolean"},"stdinOnce":{"type":"boolean"},"terminationMessagePath":{"type":"string"},"terminationMessagePolicy":{"type":"string"},"tty":{"type":"boolean"},"volumeDevices":{"type":"array","items":{"type":"object","required":["devicePath","name"],"properties":{"devicePath":{"type":"string"},"name":{"type":"string"}}},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map"},"volumeMounts":{"type":"array","items":{"type":"object","required":["mountPath","name"],"properties":{"mountPath":{"type":"string"},"mountPropagation":{"type":"string"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"recursiveReadOnly":{"type":"string"},"subPath":{"type":"string"},"subPathExpr":{"type":"string"}}},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map"},"workingDir":{"type":"string"}}}},"ipFamilies":{"type":"array","items":{"type":"string"}},"ipFamilyPolicy":{"type":"string"},"lifecycle":{"type":"object","properties":{"postStart":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"preStop":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"httpGet":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","required":["seconds"],"properties":{"seconds":{"type":"integer","format":"int64"}}},"tcpSocket":{"type":"object","required":["port"],"properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"stopSignal":{"type":"string"}}},"livenessProbe":{"type":"object","properties":{"failureThreshold":{"type":"integer","format":"int32","minimum":1},"initialDelaySeconds":{"type":"integer","format":"int32","minimum":0},"periodSeconds":{"type":"integer","format":"int32","minimum":1},"successThreshold":{"type":"integer","format":"int32","minimum":1},"terminationGracePeriodSeconds":{"type":"integer","format":"int64","minimum":1},"timeoutSeconds":{"type":"integer","format":"int32","minimum":1}}},"managementState":{"type":"string","enum":["managed","unmanaged"]},"mode":{"type":"string","enum":["daemonset","deployment","sidecar","statefulset"]},"networkPolicy":{"type":"object","properties":{"enabled":{"type":"boolean"}}},"nodeSelector":{"type":"object","additionalProperties":{"type":"string"}},"observability":{"type":"object","properties":{"metrics":{"type":"object","properties":{"disablePrometheusAnnotations":{"type":"boolean"},"enableMetrics":{"type":"boolean"},"extraLabels":{"type":"object","additionalProperties":{"type":"string"}}}}}},"persistentVolumeClaimRetentionPolicy":{"type":"object","properties":{"whenDeleted":{"type":"string"},"whenScaled":{"type":"string"}}},"podAnnotations":{"type":"object","additionalProperties":{"type":"string"}},"podDisruptionBudget":{"type":"object","properties":{"maxUnavailable":{"x-kubernetes-int-or-string":true},"minAvailable":{"x-kubernetes-int-or-string":true}}},"podDnsConfig":{"type":"object","properties":{"nameservers":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"options":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"searches":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"podSecurityContext":{"type":"object","properties":{"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"fsGroup":{"type":"integer","format":"int64"},"fsGroupChangePolicy":{"type":"string"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxChangePolicy":{"type":"string"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"supplementalGroups":{"type":"array","items":{"type":"integer","format":"int64"},"x-kubernetes-list-type":"atomic"},"supplementalGroupsPolicy":{"type":"string"},"sysctls":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"ports":{"type":"array","items":{"type":"object","required":["port"],"properties":{"appProtocol":{"type":"string"},"hostPort":{"type":"integer","format":"int32","maximum":65535,"minimum":0},"name":{"type":"string"},"nodePort":{"type":"integer","format":"int32"},"port":{"type":"integer","format":"int32"},"protocol":{"type":"string"},"targetPort":{"x-kubernetes-int-or-string":true}}},"x-kubernetes-list-type":"atomic"},"priorityClassName":{"type":"string"},"readinessProbe":{"type":"object","properties":{"failureThreshold":{"type":"integer","format":"int32","minimum":1},"initialDelaySeconds":{"type":"integer","format":"int32","minimum":0},"periodSeconds":{"type":"integer","format":"int32","minimum":1},"successThreshold":{"type":"integer","format":"int32","minimum":1},"terminationGracePeriodSeconds":{"type":"integer","format":"int64","minimum":1},"timeoutSeconds":{"type":"integer","format":"int32","minimum":1}}},"replicas":{"type":"integer","format":"int32"},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"serviceAccount":{"type":"string"},"serviceName":{"type":"string"},"shareProcessNamespace":{"type":"boolean"},"startupProbe":{"type":"object","properties":{"failureThreshold":{"type":"integer","format":"int32","minimum":1},"initialDelaySeconds":{"type":"integer","format":"int32","minimum":0},"periodSeconds":{"type":"integer","format":"int32","minimum":1},"successThreshold":{"type":"integer","format":"int32","minimum":1},"terminationGracePeriodSeconds":{"type":"integer","format":"int64","minimum":1},"timeoutSeconds":{"type":"integer","format":"int32","minimum":1}}},"targetAllocator":{"type":"object","properties":{"affinity":{"type":"object","properties":{"nodeAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["preference","weight"],"properties":{"preference":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"type":"array","items":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchFields":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"}}},"podAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"x-kubernetes-list-type":"atomic"}}},"podAntiAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["podAffinityTerm","weight"],"properties":{"podAffinityTerm":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"weight":{"type":"integer","format":"int32"}}},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","required":["topologyKey"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string"}}},"x-kubernetes-list-type":"atomic"}}}}},"allocationStrategy":{"type":"string","enum":["least-weighted","consistent-hashing","per-node"]},"collectorNotReadyGracePeriod":{"type":"string","format":"duration"},"collectorTargetReloadInterval":{"type":"string","format":"duration"},"enabled":{"type":"boolean"},"env":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"fileKeyRef":{"type":"object","required":["key","path","volumeName"],"properties":{"key":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"volumeName":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"secretKeyRef":{"type":"object","required":["key"],"properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"}}}}}},"filterStrategy":{"type":"string","enum":["","relabel-config"]},"image":{"type":"string"},"nodeSelector":{"type":"object","additionalProperties":{"type":"string"}},"observability":{"type":"object","properties":{"metrics":{"type":"object","properties":{"disablePrometheusAnnotations":{"type":"boolean"},"enableMetrics":{"type":"boolean"},"extraLabels":{"type":"object","additionalProperties":{"type":"string"}}}}}},"podDisruptionBudget":{"type":"object","properties":{"maxUnavailable":{"x-kubernetes-int-or-string":true},"minAvailable":{"x-kubernetes-int-or-string":true}}},"podSecurityContext":{"type":"object","properties":{"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"fsGroup":{"type":"integer","format":"int64"},"fsGroupChangePolicy":{"type":"string"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxChangePolicy":{"type":"string"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"supplementalGroups":{"type":"array","items":{"type":"integer","format":"int64"},"x-kubernetes-list-type":"atomic"},"supplementalGroupsPolicy":{"type":"string"},"sysctls":{"type":"array","items":{"type":"object","required":["name","value"],"properties":{"name":{"type":"string"},"value":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"prometheusCR":{"type":"object","properties":{"allowNamespaces":{"type":"array","items":{"type":"string"}},"denyNamespaces":{"type":"array","items":{"type":"string"}},"enabled":{"type":"boolean"},"evaluationInterval":{"type":"string","format":"duration"},"podMonitorNamespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"podMonitorSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"probeNamespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"probeSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"scrapeClasses":{"x-kubernetes-list-type":"atomic","x-kubernetes-preserve-unknown-fields":true},"scrapeConfigNamespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"scrapeConfigSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"scrapeInterval":{"type":"string","format":"duration"},"scrapeProtocols":{"type":"array","items":{"type":"string"}},"serviceMonitorNamespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"serviceMonitorSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"replicas":{"type":"integer","format":"int32"},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","required":["name"],"properties":{"name":{"type":"string"},"request":{"type":"string"}}},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer","format":"int64"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer","format":"int64"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","required":["type"],"properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"serviceAccount":{"type":"string"},"tolerations":{"type":"array","items":{"type":"object","properties":{"effect":{"type":"string"},"key":{"type":"string"},"operator":{"type":"string"},"tolerationSeconds":{"type":"integer","format":"int64"},"value":{"type":"string"}}}},"topologySpreadConstraints":{"type":"array","items":{"type":"object","required":["maxSkew","topologyKey","whenUnsatisfiable"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"maxSkew":{"type":"integer","format":"int32"},"minDomains":{"type":"integer","format":"int32"},"nodeAffinityPolicy":{"type":"string"},"nodeTaintsPolicy":{"type":"string"},"topologyKey":{"type":"string"},"whenUnsatisfiable":{"type":"string"}}}}}},"terminationGracePeriodSeconds":{"type":"integer","format":"int64"},"tolerations":{"type":"array","items":{"type":"object","properties":{"effect":{"type":"string"},"key":{"type":"string"},"operator":{"type":"string"},"tolerationSeconds":{"type":"integer","format":"int64"},"value":{"type":"string"}}}},"topologySpreadConstraints":{"type":"array","items":{"type":"object","required":["maxSkew","topologyKey","whenUnsatisfiable"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"matchLabelKeys":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"maxSkew":{"type":"integer","format":"int32"},"minDomains":{"type":"integer","format":"int32"},"nodeAffinityPolicy":{"type":"string"},"nodeTaintsPolicy":{"type":"string"},"topologyKey":{"type":"string"},"whenUnsatisfiable":{"type":"string"}}}},"trafficDistribution":{"type":"string"},"upgradeStrategy":{"type":"string","enum":["automatic","none"]},"volumeClaimTemplates":{"type":"array","items":{"type":"object","properties":{"apiVersion":{"type":"string"},"kind":{"type":"string"},"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"type":"string"},"volumeAttributesClassName":{"type":"string"},"volumeMode":{"type":"string"},"volumeName":{"type":"string"}}},"status":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"allocatedResourceStatuses":{"type":"object","additionalProperties":{"type":"string"},"x-kubernetes-map-type":"granular"},"allocatedResources":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"capacity":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"conditions":{"type":"array","items":{"type":"object","required":["status","type"],"properties":{"lastProbeTime":{"type":"string","format":"date-time"},"lastTransitionTime":{"type":"string","format":"date-time"},"message":{"type":"string"},"reason":{"type":"string"},"status":{"type":"string"},"type":{"type":"string"}}},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"currentVolumeAttributesClassName":{"type":"string"},"modifyVolumeStatus":{"type":"object","required":["status"],"properties":{"status":{"type":"string"},"targetVolumeAttributesClassName":{"type":"string"}}},"phase":{"type":"string"}}}}},"x-kubernetes-list-type":"atomic"},"volumeMounts":{"type":"array","items":{"type":"object","required":["mountPath","name"],"properties":{"mountPath":{"type":"string"},"mountPropagation":{"type":"string"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"recursiveReadOnly":{"type":"string"},"subPath":{"type":"string"},"subPathExpr":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"volumes":{"type":"array","items":{"type":"object","required":["name"],"properties":{"awsElasticBlockStore":{"type":"object","required":["volumeID"],"properties":{"fsType":{"type":"string"},"partition":{"type":"integer","format":"int32"},"readOnly":{"type":"boolean"},"volumeID":{"type":"string"}}},"azureDisk":{"type":"object","required":["diskName","diskURI"],"properties":{"cachingMode":{"type":"string"},"diskName":{"type":"string"},"diskURI":{"type":"string"},"fsType":{"type":"string"},"kind":{"type":"string"},"readOnly":{"type":"boolean"}}},"azureFile":{"type":"object","required":["secretName","shareName"],"properties":{"readOnly":{"type":"boolean"},"secretName":{"type":"string"},"shareName":{"type":"string"}}},"cephfs":{"type":"object","required":["monitors"],"properties":{"monitors":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"path":{"type":"string"},"readOnly":{"type":"boolean"},"secretFile":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"type":"string"}}},"cinder":{"type":"object","required":["volumeID"],"properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeID":{"type":"string"}}},"configMap":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"csi":{"type":"object","required":["driver"],"properties":{"driver":{"type":"string"},"fsType":{"type":"string"},"nodePublishSecretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"readOnly":{"type":"boolean"},"volumeAttributes":{"type":"object","additionalProperties":{"type":"string"}}}},"downwardAPI":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"items":{"type":"array","items":{"type":"object","required":["path"],"properties":{"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"emptyDir":{"type":"object","properties":{"medium":{"type":"string"},"sizeLimit":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}},"ephemeral":{"type":"object","properties":{"volumeClaimTemplate":{"type":"object","required":["spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"finalizers":{"type":"array","items":{"type":"string"}},"labels":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"namespace":{"type":"string"}}},"spec":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"dataSource":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"dataSourceRef":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"storageClassName":{"type":"string"},"volumeAttributesClassName":{"type":"string"},"volumeMode":{"type":"string"},"volumeName":{"type":"string"}}}}}}},"fc":{"type":"object","properties":{"fsType":{"type":"string"},"lun":{"type":"integer","format":"int32"},"readOnly":{"type":"boolean"},"targetWWNs":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"wwids":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"flexVolume":{"type":"object","required":["driver"],"properties":{"driver":{"type":"string"},"fsType":{"type":"string"},"options":{"type":"object","additionalProperties":{"type":"string"}},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"}}},"flocker":{"type":"object","properties":{"datasetName":{"type":"string"},"datasetUUID":{"type":"string"}}},"gcePersistentDisk":{"type":"object","required":["pdName"],"properties":{"fsType":{"type":"string"},"partition":{"type":"integer","format":"int32"},"pdName":{"type":"string"},"readOnly":{"type":"boolean"}}},"gitRepo":{"type":"object","required":["repository"],"properties":{"directory":{"type":"string"},"repository":{"type":"string"},"revision":{"type":"string"}}},"glusterfs":{"type":"object","required":["endpoints","path"],"properties":{"endpoints":{"type":"string"},"path":{"type":"string"},"readOnly":{"type":"boolean"}}},"hostPath":{"type":"object","required":["path"],"properties":{"path":{"type":"string"},"type":{"type":"string"}}},"image":{"type":"object","properties":{"pullPolicy":{"type":"string"},"reference":{"type":"string"}}},"iscsi":{"type":"object","required":["iqn","lun","targetPortal"],"properties":{"chapAuthDiscovery":{"type":"boolean"},"chapAuthSession":{"type":"boolean"},"fsType":{"type":"string"},"initiatorName":{"type":"string"},"iqn":{"type":"string"},"iscsiInterface":{"type":"string"},"lun":{"type":"integer","format":"int32"},"portals":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"targetPortal":{"type":"string"}}},"name":{"type":"string"},"nfs":{"type":"object","required":["path","server"],"properties":{"path":{"type":"string"},"readOnly":{"type":"boolean"},"server":{"type":"string"}}},"persistentVolumeClaim":{"type":"object","required":["claimName"],"properties":{"claimName":{"type":"string"},"readOnly":{"type":"boolean"}}},"photonPersistentDisk":{"type":"object","required":["pdID"],"properties":{"fsType":{"type":"string"},"pdID":{"type":"string"}}},"portworxVolume":{"type":"object","required":["volumeID"],"properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"volumeID":{"type":"string"}}},"projected":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"sources":{"type":"array","items":{"type":"object","properties":{"clusterTrustBundle":{"type":"object","required":["path"],"properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","required":["key","operator"],"properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"signerName":{"type":"string"}}},"configMap":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"downwardAPI":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","required":["path"],"properties":{"fieldRef":{"type":"object","required":["fieldPath"],"properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"},"resourceFieldRef":{"type":"object","required":["resource"],"properties":{"containerName":{"type":"string"},"divisor":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true},"resource":{"type":"string"}},"x-kubernetes-map-type":"atomic"}}},"x-kubernetes-list-type":"atomic"}}},"podCertificate":{"type":"object","required":["keyType","signerName"],"properties":{"certificateChainPath":{"type":"string"},"credentialBundlePath":{"type":"string"},"keyPath":{"type":"string"},"keyType":{"type":"string"},"maxExpirationSeconds":{"type":"integer","format":"int32"},"signerName":{"type":"string"}}},"secret":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"name":{"type":"string"},"optional":{"type":"boolean"}},"x-kubernetes-map-type":"atomic"},"serviceAccountToken":{"type":"object","required":["path"],"properties":{"audience":{"type":"string"},"expirationSeconds":{"type":"integer","format":"int64"},"path":{"type":"string"}}}}},"x-kubernetes-list-type":"atomic"}}},"quobyte":{"type":"object","required":["registry","volume"],"properties":{"group":{"type":"string"},"readOnly":{"type":"boolean"},"registry":{"type":"string"},"tenant":{"type":"string"},"user":{"type":"string"},"volume":{"type":"string"}}},"rbd":{"type":"object","required":["image","monitors"],"properties":{"fsType":{"type":"string"},"image":{"type":"string"},"keyring":{"type":"string"},"monitors":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"pool":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"user":{"type":"string"}}},"scaleIO":{"type":"object","required":["gateway","secretRef","system"],"properties":{"fsType":{"type":"string"},"gateway":{"type":"string"},"protectionDomain":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"sslEnabled":{"type":"boolean"},"storageMode":{"type":"string"},"storagePool":{"type":"string"},"system":{"type":"string"},"volumeName":{"type":"string"}}},"secret":{"type":"object","properties":{"defaultMode":{"type":"integer","format":"int32"},"items":{"type":"array","items":{"type":"object","required":["key","path"],"properties":{"key":{"type":"string"},"mode":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"x-kubernetes-list-type":"atomic"},"optional":{"type":"boolean"},"secretName":{"type":"string"}}},"storageos":{"type":"object","properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}},"x-kubernetes-map-type":"atomic"},"volumeName":{"type":"string"},"volumeNamespace":{"type":"string"}}},"vsphereVolume":{"type":"object","required":["volumePath"],"properties":{"fsType":{"type":"string"},"storagePolicyID":{"type":"string"},"storagePolicyName":{"type":"string"},"volumePath":{"type":"string"}}}}},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-validations":[{"message":"the OpenTelemetry Collector mode is set to sidecar, which does not support the attribute 'tolerations'","rule":"!(self.mode == 'sidecar' && size(self.tolerations) > 0) || !has(self.tolerations)"},{"message":"the OpenTelemetry Collector mode is set to sidecar, which does not support the attribute 'priorityClassName'","rule":"!(self.mode == 'sidecar' && self.priorityClassName != '') || !has(self.priorityClassName)"},{"message":"the OpenTelemetry Collector mode is set to sidecar, which does not support the attribute 'affinity'","rule":"!(self.mode == 'sidecar' && self.affinity != null) || !has(self.affinity)"},{"message":"the OpenTelemetry Collector mode is set to sidecar, which does not support the attribute 'additionalContainers'","rule":"!(self.mode == 'sidecar' && size(self.additionalContainers) > 0) || !has(self.additionalContainers)"}]},"status":{"type":"object","properties":{"image":{"type":"string"},"scale":{"type":"object","properties":{"replicas":{"type":"integer","format":"int32"},"selector":{"type":"string"},"statusReplicas":{"type":"string"}}},"version":{"type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"opentelemetry.io","kind":"OpenTelemetryCollector","version":"v1beta1"}],"title":"io.opentelemetry.v1beta1.OpenTelemetryCollector"},"io.opentelemetry.v1beta1.OpenTelemetryCollectorList":{"description":"OpenTelemetryCollectorList is a list of OpenTelemetryCollector","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of opentelemetrycollectors. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.opentelemetry.v1beta1.OpenTelemetryCollector"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"opentelemetry.io","kind":"OpenTelemetryCollectorList","version":"v1beta1"}],"title":"io.opentelemetry.v1beta1.OpenTelemetryCollectorList"},"io.wgpolicyk8s.v1alpha2.ClusterPolicyReport":{"description":"ClusterPolicyReport is the Schema for the clusterpolicyreports API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"PolicyReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"SubjectSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a SubjectSelector can be specified.\nIf neither are provided, the result is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"scope":{"description":"Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"},"scopeSelector":{"description":"ScopeSelector is an optional selector for multiple scopes (e.g. Pods).\nEither one of, or none of, but not both of, Scope or ScopeSelector should be specified.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}},"x-kubernetes-group-version-kind":[{"group":"wgpolicyk8s.io","kind":"ClusterPolicyReport","version":"v1alpha2"}],"title":"io.wgpolicyk8s.v1alpha2.ClusterPolicyReport"},"io.wgpolicyk8s.v1alpha2.ClusterPolicyReportList":{"description":"ClusterPolicyReportList is a list of ClusterPolicyReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusterpolicyreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.ClusterPolicyReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"wgpolicyk8s.io","kind":"ClusterPolicyReportList","version":"v1alpha2"}],"title":"io.wgpolicyk8s.v1alpha2.ClusterPolicyReportList"},"io.wgpolicyk8s.v1alpha2.PolicyReport":{"description":"PolicyReport is the Schema for the policyreports API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"PolicyReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"SubjectSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a SubjectSelector can be specified.\nIf neither are provided, the result is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"scope":{"description":"Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"},"scopeSelector":{"description":"ScopeSelector is an optional selector for multiple scopes (e.g. Pods).\nEither one of, or none of, but not both of, Scope or ScopeSelector should be specified.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}},"x-kubernetes-group-version-kind":[{"group":"wgpolicyk8s.io","kind":"PolicyReport","version":"v1alpha2"}],"title":"io.wgpolicyk8s.v1alpha2.PolicyReport"},"io.wgpolicyk8s.v1alpha2.PolicyReportList":{"description":"PolicyReportList is a list of PolicyReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of policyreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.PolicyReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"wgpolicyk8s.io","kind":"PolicyReportList","version":"v1alpha2"}],"title":"io.wgpolicyk8s.v1alpha2.PolicyReportList"},"org.keycloak.k8s.v2alpha1.Keycloak":{"type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","properties":{"additionalOptions":{"description":"Configuration of the Keycloak server.\nexpressed as a keys (reference: https://www.keycloak.org/server/all-config) and values that can be either direct values or references to secrets.","type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"secret":{"type":"object","properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}}},"value":{"type":"string"}}}},"bootstrapAdmin":{"description":"In this section you can configure Keycloak's bootstrap admin - will be used only for initial cluster creation.","type":"object","properties":{"service":{"description":"Configures the bootstrap admin service account","type":"object","properties":{"secret":{"description":"Name of the Secret that contains the client-id and client-secret keys","type":"string"}}},"user":{"description":"Configures the bootstrap admin user","type":"object","properties":{"secret":{"description":"Name of the Secret that contains the username and password keys","type":"string"}}}}},"cache":{"description":"In this section you can configure Keycloak's cache","type":"object","properties":{"configMapFile":{"type":"object","properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}}}}},"db":{"description":"In this section you can find all properties related to connect to a database.","type":"object","properties":{"database":{"description":"Sets the database name of the default JDBC URL of the chosen vendor. If the `url` option is set, this option is ignored.","type":"string"},"host":{"description":"Sets the hostname of the default JDBC URL of the chosen vendor. If the `url` option is set, this option is ignored.","type":"string"},"passwordSecret":{"description":"The reference to a secret holding the password of the database user.","type":"object","properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}}},"poolInitialSize":{"description":"The initial size of the connection pool.","type":"integer"},"poolMaxSize":{"description":"The maximum size of the connection pool.","type":"integer"},"poolMinSize":{"description":"The minimal size of the connection pool.","type":"integer"},"port":{"description":"Sets the port of the default JDBC URL of the chosen vendor. If the `url` option is set, this option is ignored.","type":"integer"},"schema":{"description":"The database schema to be used.","type":"string"},"url":{"description":"The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor. For instance, if using 'postgres', the default JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. ","type":"string"},"usernameSecret":{"description":"The reference to a secret holding the username of the database user.","type":"object","properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}}},"vendor":{"description":"The database vendor.","type":"string"}}},"env":{"description":"Environment variables for the Keycloak server.\nValues can be either direct values or references to secrets. Use additionalOptions for first-class options rather than KC_ values here.","type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"secret":{"type":"object","properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}}},"value":{"type":"string"}}}},"features":{"description":"In this section you can configure Keycloak features, which should be enabled/disabled.","type":"object","properties":{"disabled":{"description":"Disabled Keycloak features","type":"array","items":{"type":"string"}},"enabled":{"description":"Enabled Keycloak features","type":"array","items":{"type":"string"}}}},"hostname":{"description":"In this section you can configure Keycloak hostname and related properties.","type":"object","properties":{"admin":{"description":"The hostname for accessing the administration console. Applicable for Hostname v1 and v2.","type":"string"},"adminUrl":{"description":"DEPRECATED. Sets the base URL for accessing the administration console, including scheme, host, port and path. Applicable for Hostname v1.","type":"string"},"backchannelDynamic":{"description":"Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. Set to true if your application accesses Keycloak via a private network. Applicable for Hostname v2.","type":"boolean"},"hostname":{"description":"Hostname for the Keycloak server. Applicable for Hostname v1 and v2.","type":"string"},"strict":{"description":"Disables dynamically resolving the hostname from request headers. Applicable for Hostname v1 and v2.","type":"boolean"},"strictBackchannel":{"description":"DEPRECATED. By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. Applicable for Hostname v1.","type":"boolean"}}},"http":{"description":"In this section you can configure Keycloak features related to HTTP and HTTPS","type":"object","properties":{"annotations":{"description":"Annotations to be appended to the Service object","type":"object","additionalProperties":{"type":"string"}},"httpEnabled":{"description":"Enables the HTTP listener.","type":"boolean"},"httpPort":{"description":"The used HTTP port.","type":"integer"},"httpsPort":{"description":"The used HTTPS port.","type":"integer"},"labels":{"description":"Labels to be appended to the Service object","type":"object","additionalProperties":{"type":"string"}},"tlsSecret":{"description":"A secret containing the TLS configuration for HTTPS. Reference: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets.","type":"string"}}},"httpManagement":{"description":"In this section you can configure Keycloak's management interface setting.","type":"object","properties":{"port":{"description":"Port of the management interface.","type":"integer"}}},"image":{"description":"Custom Keycloak image to be used.","type":"string"},"imagePullSecrets":{"description":"Secret(s) that might be used when pulling an image from a private container image registry or repository.","type":"array","items":{"type":"object","properties":{"name":{"type":"string"}}}},"import":{"description":"In this section you can configure import Jobs","type":"object","properties":{"scheduling":{"description":"In this section you can configure import jobs scheduling","type":"object","properties":{"affinity":{"type":"object","properties":{"nodeAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"preference":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchFields":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}}}},"weight":{"type":"integer"}}}},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"object","properties":{"nodeSelectorTerms":{"type":"array","items":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchFields":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}}}}}}}}},"podAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"podAffinityTerm":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}},"weight":{"type":"integer"}}}},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}}}}},"podAntiAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"podAffinityTerm":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}},"weight":{"type":"integer"}}}},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}}}}}}},"priorityClassName":{"type":"string"},"tolerations":{"type":"array","items":{"type":"object","properties":{"effect":{"type":"string"},"key":{"type":"string"},"operator":{"type":"string"},"tolerationSeconds":{"type":"integer"},"value":{"type":"string"}}}},"topologySpreadConstraints":{"type":"array","items":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"maxSkew":{"type":"integer"},"minDomains":{"type":"integer"},"nodeAffinityPolicy":{"type":"string"},"nodeTaintsPolicy":{"type":"string"},"topologyKey":{"type":"string"},"whenUnsatisfiable":{"type":"string"}}}}}}}},"ingress":{"description":"The deployment is, by default, exposed through a basic ingress.\nYou can change this behaviour by setting the enabled property to false.","type":"object","properties":{"annotations":{"description":"Additional annotations to be appended to the Ingress object","type":"object","additionalProperties":{"type":"string"}},"className":{"type":"string"},"enabled":{"type":"boolean"},"labels":{"description":"Additional labels to be appended to the Ingress object","type":"object","additionalProperties":{"type":"string"}},"tlsSecret":{"description":"A secret containing the TLS configuration for re-encrypt or TLS termination scenarios. Reference: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets.","type":"string"}}},"instances":{"description":"Number of Keycloak instances. Default is 1.","type":"integer"},"livenessProbe":{"description":"Configuration for liveness probe, by default it is 10 for periodSeconds and 3 for failureThreshold","type":"object","properties":{"failureThreshold":{"type":"integer"},"periodSeconds":{"type":"integer"}}},"networkPolicy":{"description":"Controls the ingress traffic flow into Keycloak pods.","type":"object","properties":{"enabled":{"description":"Enables or disables the ingress traffic control.","type":"boolean"},"http":{"description":"A list of sources which should be able to access this endpoint. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.","type":"array","items":{"type":"object","properties":{"ipBlock":{"type":"object","properties":{"cidr":{"type":"string"},"except":{"type":"array","items":{"type":"string"}}}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"podSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}}}}},"https":{"description":"A list of sources which should be able to access this endpoint. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.","type":"array","items":{"type":"object","properties":{"ipBlock":{"type":"object","properties":{"cidr":{"type":"string"},"except":{"type":"array","items":{"type":"string"}}}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"podSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}}}}},"management":{"description":"A list of sources which should be able to access this endpoint. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.","type":"array","items":{"type":"object","properties":{"ipBlock":{"type":"object","properties":{"cidr":{"type":"string"},"except":{"type":"array","items":{"type":"string"}}}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"podSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}}}}}}},"proxy":{"description":"In this section you can configure Keycloak's reverse proxy setting","type":"object","properties":{"headers":{"description":"The proxy headers that should be accepted by the server. Misconfiguration might leave the server exposed to security vulnerabilities.","type":"string"}}},"readinessProbe":{"description":"Configuration for readiness probe, by default it is 10 for periodSeconds and 3 for failureThreshold","type":"object","properties":{"failureThreshold":{"type":"integer"},"periodSeconds":{"type":"integer"}}},"resources":{"description":"Compute Resources required by Keycloak container","type":"object","properties":{"claims":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"request":{"type":"string"}}}},"limits":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}}}},"scheduling":{"description":"In this section you can configure Keycloak's scheduling","type":"object","properties":{"affinity":{"type":"object","properties":{"nodeAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"preference":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchFields":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}}}},"weight":{"type":"integer"}}}},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"object","properties":{"nodeSelectorTerms":{"type":"array","items":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchFields":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}}}}}}}}},"podAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"podAffinityTerm":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}},"weight":{"type":"integer"}}}},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}}}}},"podAntiAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"podAffinityTerm":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}},"weight":{"type":"integer"}}}},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}}}}}}},"priorityClassName":{"type":"string"},"tolerations":{"type":"array","items":{"type":"object","properties":{"effect":{"type":"string"},"key":{"type":"string"},"operator":{"type":"string"},"tolerationSeconds":{"type":"integer"},"value":{"type":"string"}}}},"topologySpreadConstraints":{"type":"array","items":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"maxSkew":{"type":"integer"},"minDomains":{"type":"integer"},"nodeAffinityPolicy":{"type":"string"},"nodeTaintsPolicy":{"type":"string"},"topologyKey":{"type":"string"},"whenUnsatisfiable":{"type":"string"}}}}}},"serviceMonitor":{"description":"Configuration related to the generated ServiceMonitor","type":"object","properties":{"enabled":{"description":"Enables or disables the creation of the ServiceMonitor.","type":"boolean"},"interval":{"description":"Interval at which metrics should be scraped","type":"string"},"scrapeTimeout":{"description":"Timeout after which the scrape is ended","type":"string"}}},"startOptimized":{"description":"Set to force the behavior of the --optimized flag for the start command. If left unspecified the operator will assume custom images have already been augmented.","type":"boolean"},"startupProbe":{"description":"Configuration for startup probe, by default it is 1 for periodSeconds and 600 for failureThreshold","type":"object","properties":{"failureThreshold":{"type":"integer"},"periodSeconds":{"type":"integer"}}},"tracing":{"description":"In this section you can configure OpenTelemetry Tracing for Keycloak.","type":"object","properties":{"compression":{"description":"OpenTelemetry compression method used to compress payloads. If unset, compression is disabled. Possible values are: gzip, none.","type":"string"},"enabled":{"description":"Enables the OpenTelemetry tracing.","type":"boolean"},"endpoint":{"description":"OpenTelemetry endpoint to connect to.","type":"string"},"protocol":{"description":"OpenTelemetry protocol used for the telemetry data (default 'grpc'). For more information, check the Tracing guide.","type":"string"},"resourceAttributes":{"description":"OpenTelemetry resource attributes present in the exported trace to characterize the telemetry producer.","type":"object","additionalProperties":{"type":"string"}},"samplerRatio":{"description":"OpenTelemetry sampler ratio. Probability that a span will be sampled. Expected double value in interval [0,1].","type":"number"},"samplerType":{"description":"OpenTelemetry sampler to use for tracing (default 'traceidratio'). For more information, check the Tracing guide.","type":"string"},"serviceName":{"description":"OpenTelemetry service name. Takes precedence over 'service.name' defined in the 'resourceAttributes' map.","type":"string"}}},"transaction":{"description":"In this section you can find all properties related to the settings of transaction behavior.","type":"object","properties":{"xaEnabled":{"description":"Determine whether Keycloak should use a non-XA datasource in case the database does not support XA transactions.","type":"boolean"}}},"truststores":{"description":"In this section you can configure Keycloak truststores.","type":"object","additionalProperties":{"type":"object","properties":{"configMap":{"description":"The ConfigMap containing the trust material - only set one of the other secret or configMap","type":"object","required":["name"],"properties":{"name":{"type":"string"},"optional":{"type":"boolean"}}},"name":{"description":"Not used. To be removed in later versions.","type":"string"},"secret":{"description":"The Secret containing the trust material - only set one of the other secret or configMap","type":"object","required":["name"],"properties":{"name":{"type":"string"},"optional":{"type":"boolean"}}}}}},"unsupported":{"description":"In this section you can configure podTemplate advanced features, not production-ready, and not supported settings.\nUse at your own risk and open an issue with your use-case if you don't find an alternative way.","type":"object","properties":{"podTemplate":{"description":"You can configure that will be merged with the one configured by default by the operator.\nUse at your own risk, we reserve the possibility to remove/change the way any field gets merged in future releases without notice.\nReference: https://kubernetes.io/docs/concepts/workloads/pods/#pod-templates","type":"object","properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"creationTimestamp":{"type":"string"},"deletionGracePeriodSeconds":{"type":"integer"},"deletionTimestamp":{"type":"string"},"finalizers":{"type":"array","items":{"type":"string"}},"generateName":{"type":"string"},"generation":{"type":"integer"},"labels":{"type":"object","additionalProperties":{"type":"string"}},"managedFields":{"type":"array","items":{"type":"object","properties":{"apiVersion":{"type":"string"},"fieldsType":{"type":"string"},"fieldsV1":{"type":"object"},"manager":{"type":"string"},"operation":{"type":"string"},"subresource":{"type":"string"},"time":{"type":"string"}}}},"name":{"type":"string"},"namespace":{"type":"string"},"ownerReferences":{"type":"array","items":{"type":"object","properties":{"apiVersion":{"type":"string"},"blockOwnerDeletion":{"type":"boolean"},"controller":{"type":"boolean"},"kind":{"type":"string"},"name":{"type":"string"},"uid":{"type":"string"}}}},"resourceVersion":{"type":"string"},"selfLink":{"type":"string"},"uid":{"type":"string"}}},"spec":{"type":"object","properties":{"activeDeadlineSeconds":{"type":"integer"},"affinity":{"type":"object","properties":{"nodeAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"preference":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchFields":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}}}},"weight":{"type":"integer"}}}},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"object","properties":{"nodeSelectorTerms":{"type":"array","items":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchFields":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}}}}}}}}},"podAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"podAffinityTerm":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}},"weight":{"type":"integer"}}}},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}}}}},"podAntiAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"podAffinityTerm":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}},"weight":{"type":"integer"}}}},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}}}}}}},"automountServiceAccountToken":{"type":"boolean"},"containers":{"type":"array","items":{"type":"object","properties":{"args":{"type":"array","items":{"type":"string"}},"command":{"type":"array","items":{"type":"string"}},"env":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}}},"fieldRef":{"type":"object","properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}}},"resourceFieldRef":{"type":"object","properties":{"containerName":{"type":"string"},"divisor":{"x-kubernetes-int-or-string":true},"resource":{"type":"string"}}},"secretKeyRef":{"type":"object","properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}}}}}}}},"envFrom":{"type":"array","items":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}}},"prefix":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}}}}}},"image":{"type":"string"},"imagePullPolicy":{"type":"string"},"lifecycle":{"type":"object","properties":{"postStart":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","properties":{"seconds":{"type":"integer"}}},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"preStop":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","properties":{"seconds":{"type":"integer"}}},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"stopSignal":{"type":"string"}}},"livenessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"failureThreshold":{"type":"integer"},"grpc":{"type":"object","properties":{"port":{"type":"integer"},"service":{"type":"string"}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer"},"periodSeconds":{"type":"integer"},"successThreshold":{"type":"integer"},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer"},"timeoutSeconds":{"type":"integer"}}},"name":{"type":"string"},"ports":{"type":"array","items":{"type":"object","properties":{"containerPort":{"type":"integer"},"hostIP":{"type":"string"},"hostPort":{"type":"integer"},"name":{"type":"string"},"protocol":{"type":"string"}}}},"readinessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"failureThreshold":{"type":"integer"},"grpc":{"type":"object","properties":{"port":{"type":"integer"},"service":{"type":"string"}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer"},"periodSeconds":{"type":"integer"},"successThreshold":{"type":"integer"},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer"},"timeoutSeconds":{"type":"integer"}}},"resizePolicy":{"type":"array","items":{"type":"object","properties":{"resourceName":{"type":"string"},"restartPolicy":{"type":"string"}}}},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"request":{"type":"string"}}}},"limits":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}}}},"restartPolicy":{"type":"string"},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"}},"drop":{"type":"array","items":{"type":"string"}}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"startupProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"failureThreshold":{"type":"integer"},"grpc":{"type":"object","properties":{"port":{"type":"integer"},"service":{"type":"string"}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer"},"periodSeconds":{"type":"integer"},"successThreshold":{"type":"integer"},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer"},"timeoutSeconds":{"type":"integer"}}},"stdin":{"type":"boolean"},"stdinOnce":{"type":"boolean"},"terminationMessagePath":{"type":"string"},"terminationMessagePolicy":{"type":"string"},"tty":{"type":"boolean"},"volumeDevices":{"type":"array","items":{"type":"object","properties":{"devicePath":{"type":"string"},"name":{"type":"string"}}}},"volumeMounts":{"type":"array","items":{"type":"object","properties":{"mountPath":{"type":"string"},"mountPropagation":{"type":"string"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"recursiveReadOnly":{"type":"string"},"subPath":{"type":"string"},"subPathExpr":{"type":"string"}}}},"workingDir":{"type":"string"}}}},"dnsConfig":{"type":"object","properties":{"nameservers":{"type":"array","items":{"type":"string"}},"options":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"searches":{"type":"array","items":{"type":"string"}}}},"dnsPolicy":{"type":"string"},"enableServiceLinks":{"type":"boolean"},"ephemeralContainers":{"type":"array","items":{"type":"object","properties":{"args":{"type":"array","items":{"type":"string"}},"command":{"type":"array","items":{"type":"string"}},"env":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}}},"fieldRef":{"type":"object","properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}}},"resourceFieldRef":{"type":"object","properties":{"containerName":{"type":"string"},"divisor":{"x-kubernetes-int-or-string":true},"resource":{"type":"string"}}},"secretKeyRef":{"type":"object","properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}}}}}}}},"envFrom":{"type":"array","items":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}}},"prefix":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}}}}}},"image":{"type":"string"},"imagePullPolicy":{"type":"string"},"lifecycle":{"type":"object","properties":{"postStart":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","properties":{"seconds":{"type":"integer"}}},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"preStop":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","properties":{"seconds":{"type":"integer"}}},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"stopSignal":{"type":"string"}}},"livenessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"failureThreshold":{"type":"integer"},"grpc":{"type":"object","properties":{"port":{"type":"integer"},"service":{"type":"string"}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer"},"periodSeconds":{"type":"integer"},"successThreshold":{"type":"integer"},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer"},"timeoutSeconds":{"type":"integer"}}},"name":{"type":"string"},"ports":{"type":"array","items":{"type":"object","properties":{"containerPort":{"type":"integer"},"hostIP":{"type":"string"},"hostPort":{"type":"integer"},"name":{"type":"string"},"protocol":{"type":"string"}}}},"readinessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"failureThreshold":{"type":"integer"},"grpc":{"type":"object","properties":{"port":{"type":"integer"},"service":{"type":"string"}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer"},"periodSeconds":{"type":"integer"},"successThreshold":{"type":"integer"},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer"},"timeoutSeconds":{"type":"integer"}}},"resizePolicy":{"type":"array","items":{"type":"object","properties":{"resourceName":{"type":"string"},"restartPolicy":{"type":"string"}}}},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"request":{"type":"string"}}}},"limits":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}}}},"restartPolicy":{"type":"string"},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"}},"drop":{"type":"array","items":{"type":"string"}}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"startupProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"failureThreshold":{"type":"integer"},"grpc":{"type":"object","properties":{"port":{"type":"integer"},"service":{"type":"string"}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer"},"periodSeconds":{"type":"integer"},"successThreshold":{"type":"integer"},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer"},"timeoutSeconds":{"type":"integer"}}},"stdin":{"type":"boolean"},"stdinOnce":{"type":"boolean"},"targetContainerName":{"type":"string"},"terminationMessagePath":{"type":"string"},"terminationMessagePolicy":{"type":"string"},"tty":{"type":"boolean"},"volumeDevices":{"type":"array","items":{"type":"object","properties":{"devicePath":{"type":"string"},"name":{"type":"string"}}}},"volumeMounts":{"type":"array","items":{"type":"object","properties":{"mountPath":{"type":"string"},"mountPropagation":{"type":"string"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"recursiveReadOnly":{"type":"string"},"subPath":{"type":"string"},"subPathExpr":{"type":"string"}}}},"workingDir":{"type":"string"}}}},"hostAliases":{"type":"array","items":{"type":"object","properties":{"hostnames":{"type":"array","items":{"type":"string"}},"ip":{"type":"string"}}}},"hostIPC":{"type":"boolean"},"hostNetwork":{"type":"boolean"},"hostPID":{"type":"boolean"},"hostUsers":{"type":"boolean"},"hostname":{"type":"string"},"imagePullSecrets":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"}}}},"initContainers":{"type":"array","items":{"type":"object","properties":{"args":{"type":"array","items":{"type":"string"}},"command":{"type":"array","items":{"type":"string"}},"env":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object","properties":{"configMapKeyRef":{"type":"object","properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}}},"fieldRef":{"type":"object","properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}}},"resourceFieldRef":{"type":"object","properties":{"containerName":{"type":"string"},"divisor":{"x-kubernetes-int-or-string":true},"resource":{"type":"string"}}},"secretKeyRef":{"type":"object","properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}}}}}}}},"envFrom":{"type":"array","items":{"type":"object","properties":{"configMapRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}}},"prefix":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"},"optional":{"type":"boolean"}}}}}},"image":{"type":"string"},"imagePullPolicy":{"type":"string"},"lifecycle":{"type":"object","properties":{"postStart":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","properties":{"seconds":{"type":"integer"}}},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"preStop":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"sleep":{"type":"object","properties":{"seconds":{"type":"integer"}}},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}}}},"stopSignal":{"type":"string"}}},"livenessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"failureThreshold":{"type":"integer"},"grpc":{"type":"object","properties":{"port":{"type":"integer"},"service":{"type":"string"}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer"},"periodSeconds":{"type":"integer"},"successThreshold":{"type":"integer"},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer"},"timeoutSeconds":{"type":"integer"}}},"name":{"type":"string"},"ports":{"type":"array","items":{"type":"object","properties":{"containerPort":{"type":"integer"},"hostIP":{"type":"string"},"hostPort":{"type":"integer"},"name":{"type":"string"},"protocol":{"type":"string"}}}},"readinessProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"failureThreshold":{"type":"integer"},"grpc":{"type":"object","properties":{"port":{"type":"integer"},"service":{"type":"string"}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer"},"periodSeconds":{"type":"integer"},"successThreshold":{"type":"integer"},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer"},"timeoutSeconds":{"type":"integer"}}},"resizePolicy":{"type":"array","items":{"type":"object","properties":{"resourceName":{"type":"string"},"restartPolicy":{"type":"string"}}}},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"request":{"type":"string"}}}},"limits":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}}}},"restartPolicy":{"type":"string"},"securityContext":{"type":"object","properties":{"allowPrivilegeEscalation":{"type":"boolean"},"appArmorProfile":{"type":"object","properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"capabilities":{"type":"object","properties":{"add":{"type":"array","items":{"type":"string"}},"drop":{"type":"array","items":{"type":"string"}}}},"privileged":{"type":"boolean"},"procMount":{"type":"string"},"readOnlyRootFilesystem":{"type":"boolean"},"runAsGroup":{"type":"integer"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"startupProbe":{"type":"object","properties":{"exec":{"type":"object","properties":{"command":{"type":"array","items":{"type":"string"}}}},"failureThreshold":{"type":"integer"},"grpc":{"type":"object","properties":{"port":{"type":"integer"},"service":{"type":"string"}}},"httpGet":{"type":"object","properties":{"host":{"type":"string"},"httpHeaders":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"path":{"type":"string"},"port":{"x-kubernetes-int-or-string":true},"scheme":{"type":"string"}}},"initialDelaySeconds":{"type":"integer"},"periodSeconds":{"type":"integer"},"successThreshold":{"type":"integer"},"tcpSocket":{"type":"object","properties":{"host":{"type":"string"},"port":{"x-kubernetes-int-or-string":true}}},"terminationGracePeriodSeconds":{"type":"integer"},"timeoutSeconds":{"type":"integer"}}},"stdin":{"type":"boolean"},"stdinOnce":{"type":"boolean"},"terminationMessagePath":{"type":"string"},"terminationMessagePolicy":{"type":"string"},"tty":{"type":"boolean"},"volumeDevices":{"type":"array","items":{"type":"object","properties":{"devicePath":{"type":"string"},"name":{"type":"string"}}}},"volumeMounts":{"type":"array","items":{"type":"object","properties":{"mountPath":{"type":"string"},"mountPropagation":{"type":"string"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"recursiveReadOnly":{"type":"string"},"subPath":{"type":"string"},"subPathExpr":{"type":"string"}}}},"workingDir":{"type":"string"}}}},"nodeName":{"type":"string"},"nodeSelector":{"type":"object","additionalProperties":{"type":"string"}},"os":{"type":"object","properties":{"name":{"type":"string"}}},"overhead":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}},"preemptionPolicy":{"type":"string"},"priority":{"type":"integer"},"priorityClassName":{"type":"string"},"readinessGates":{"type":"array","items":{"type":"object","properties":{"conditionType":{"type":"string"}}}},"resourceClaims":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"resourceClaimName":{"type":"string"},"resourceClaimTemplateName":{"type":"string"}}}},"resources":{"type":"object","properties":{"claims":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"request":{"type":"string"}}}},"limits":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}}}},"restartPolicy":{"type":"string"},"runtimeClassName":{"type":"string"},"schedulerName":{"type":"string"},"schedulingGates":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"}}}},"securityContext":{"type":"object","properties":{"appArmorProfile":{"type":"object","properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"fsGroup":{"type":"integer"},"fsGroupChangePolicy":{"type":"string"},"runAsGroup":{"type":"integer"},"runAsNonRoot":{"type":"boolean"},"runAsUser":{"type":"integer"},"seLinuxChangePolicy":{"type":"string"},"seLinuxOptions":{"type":"object","properties":{"level":{"type":"string"},"role":{"type":"string"},"type":{"type":"string"},"user":{"type":"string"}}},"seccompProfile":{"type":"object","properties":{"localhostProfile":{"type":"string"},"type":{"type":"string"}}},"supplementalGroups":{"type":"array","items":{"type":"integer"}},"supplementalGroupsPolicy":{"type":"string"},"sysctls":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}}},"windowsOptions":{"type":"object","properties":{"gmsaCredentialSpec":{"type":"string"},"gmsaCredentialSpecName":{"type":"string"},"hostProcess":{"type":"boolean"},"runAsUserName":{"type":"string"}}}}},"serviceAccount":{"type":"string"},"serviceAccountName":{"type":"string"},"setHostnameAsFQDN":{"type":"boolean"},"shareProcessNamespace":{"type":"boolean"},"subdomain":{"type":"string"},"terminationGracePeriodSeconds":{"type":"integer"},"tolerations":{"type":"array","items":{"type":"object","properties":{"effect":{"type":"string"},"key":{"type":"string"},"operator":{"type":"string"},"tolerationSeconds":{"type":"integer"},"value":{"type":"string"}}}},"topologySpreadConstraints":{"type":"array","items":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"maxSkew":{"type":"integer"},"minDomains":{"type":"integer"},"nodeAffinityPolicy":{"type":"string"},"nodeTaintsPolicy":{"type":"string"},"topologyKey":{"type":"string"},"whenUnsatisfiable":{"type":"string"}}}},"volumes":{"type":"array","items":{"type":"object","properties":{"awsElasticBlockStore":{"type":"object","properties":{"fsType":{"type":"string"},"partition":{"type":"integer"},"readOnly":{"type":"boolean"},"volumeID":{"type":"string"}}},"azureDisk":{"type":"object","properties":{"cachingMode":{"type":"string"},"diskName":{"type":"string"},"diskURI":{"type":"string"},"fsType":{"type":"string"},"kind":{"type":"string"},"readOnly":{"type":"boolean"}}},"azureFile":{"type":"object","properties":{"readOnly":{"type":"boolean"},"secretName":{"type":"string"},"shareName":{"type":"string"}}},"cephfs":{"type":"object","properties":{"monitors":{"type":"array","items":{"type":"string"}},"path":{"type":"string"},"readOnly":{"type":"boolean"},"secretFile":{"type":"string"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}}},"user":{"type":"string"}}},"cinder":{"type":"object","properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}}},"volumeID":{"type":"string"}}},"configMap":{"type":"object","properties":{"defaultMode":{"type":"integer"},"items":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"mode":{"type":"integer"},"path":{"type":"string"}}}},"name":{"type":"string"},"optional":{"type":"boolean"}}},"csi":{"type":"object","properties":{"driver":{"type":"string"},"fsType":{"type":"string"},"nodePublishSecretRef":{"type":"object","properties":{"name":{"type":"string"}}},"readOnly":{"type":"boolean"},"volumeAttributes":{"type":"object","additionalProperties":{"type":"string"}}}},"downwardAPI":{"type":"object","properties":{"defaultMode":{"type":"integer"},"items":{"type":"array","items":{"type":"object","properties":{"fieldRef":{"type":"object","properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}}},"mode":{"type":"integer"},"path":{"type":"string"},"resourceFieldRef":{"type":"object","properties":{"containerName":{"type":"string"},"divisor":{"x-kubernetes-int-or-string":true},"resource":{"type":"string"}}}}}}}},"emptyDir":{"type":"object","properties":{"medium":{"type":"string"},"sizeLimit":{"x-kubernetes-int-or-string":true}}},"ephemeral":{"type":"object","properties":{"volumeClaimTemplate":{"type":"object","properties":{"metadata":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"string"}},"creationTimestamp":{"type":"string"},"deletionGracePeriodSeconds":{"type":"integer"},"deletionTimestamp":{"type":"string"},"finalizers":{"type":"array","items":{"type":"string"}},"generateName":{"type":"string"},"generation":{"type":"integer"},"labels":{"type":"object","additionalProperties":{"type":"string"}},"managedFields":{"type":"array","items":{"type":"object","properties":{"apiVersion":{"type":"string"},"fieldsType":{"type":"string"},"fieldsV1":{"type":"object"},"manager":{"type":"string"},"operation":{"type":"string"},"subresource":{"type":"string"},"time":{"type":"string"}}}},"name":{"type":"string"},"namespace":{"type":"string"},"ownerReferences":{"type":"array","items":{"type":"object","properties":{"apiVersion":{"type":"string"},"blockOwnerDeletion":{"type":"boolean"},"controller":{"type":"boolean"},"kind":{"type":"string"},"name":{"type":"string"},"uid":{"type":"string"}}}},"resourceVersion":{"type":"string"},"selfLink":{"type":"string"},"uid":{"type":"string"}}},"spec":{"type":"object","properties":{"accessModes":{"type":"array","items":{"type":"string"}},"dataSource":{"type":"object","properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"}}},"dataSourceRef":{"type":"object","properties":{"apiGroup":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}}}},"selector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"storageClassName":{"type":"string"},"volumeAttributesClassName":{"type":"string"},"volumeMode":{"type":"string"},"volumeName":{"type":"string"}}}}}}},"fc":{"type":"object","properties":{"fsType":{"type":"string"},"lun":{"type":"integer"},"readOnly":{"type":"boolean"},"targetWWNs":{"type":"array","items":{"type":"string"}},"wwids":{"type":"array","items":{"type":"string"}}}},"flexVolume":{"type":"object","properties":{"driver":{"type":"string"},"fsType":{"type":"string"},"options":{"type":"object","additionalProperties":{"type":"string"}},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}}}}},"flocker":{"type":"object","properties":{"datasetName":{"type":"string"},"datasetUUID":{"type":"string"}}},"gcePersistentDisk":{"type":"object","properties":{"fsType":{"type":"string"},"partition":{"type":"integer"},"pdName":{"type":"string"},"readOnly":{"type":"boolean"}}},"gitRepo":{"type":"object","properties":{"directory":{"type":"string"},"repository":{"type":"string"},"revision":{"type":"string"}}},"glusterfs":{"type":"object","properties":{"endpoints":{"type":"string"},"path":{"type":"string"},"readOnly":{"type":"boolean"}}},"hostPath":{"type":"object","properties":{"path":{"type":"string"},"type":{"type":"string"}}},"image":{"type":"object","properties":{"pullPolicy":{"type":"string"},"reference":{"type":"string"}}},"iscsi":{"type":"object","properties":{"chapAuthDiscovery":{"type":"boolean"},"chapAuthSession":{"type":"boolean"},"fsType":{"type":"string"},"initiatorName":{"type":"string"},"iqn":{"type":"string"},"iscsiInterface":{"type":"string"},"lun":{"type":"integer"},"portals":{"type":"array","items":{"type":"string"}},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}}},"targetPortal":{"type":"string"}}},"name":{"type":"string"},"nfs":{"type":"object","properties":{"path":{"type":"string"},"readOnly":{"type":"boolean"},"server":{"type":"string"}}},"persistentVolumeClaim":{"type":"object","properties":{"claimName":{"type":"string"},"readOnly":{"type":"boolean"}}},"photonPersistentDisk":{"type":"object","properties":{"fsType":{"type":"string"},"pdID":{"type":"string"}}},"portworxVolume":{"type":"object","properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"volumeID":{"type":"string"}}},"projected":{"type":"object","properties":{"defaultMode":{"type":"integer"},"sources":{"type":"array","items":{"type":"object","properties":{"clusterTrustBundle":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"name":{"type":"string"},"optional":{"type":"boolean"},"path":{"type":"string"},"signerName":{"type":"string"}}},"configMap":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"mode":{"type":"integer"},"path":{"type":"string"}}}},"name":{"type":"string"},"optional":{"type":"boolean"}}},"downwardAPI":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","properties":{"fieldRef":{"type":"object","properties":{"apiVersion":{"type":"string"},"fieldPath":{"type":"string"}}},"mode":{"type":"integer"},"path":{"type":"string"},"resourceFieldRef":{"type":"object","properties":{"containerName":{"type":"string"},"divisor":{"x-kubernetes-int-or-string":true},"resource":{"type":"string"}}}}}}}},"secret":{"type":"object","properties":{"items":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"mode":{"type":"integer"},"path":{"type":"string"}}}},"name":{"type":"string"},"optional":{"type":"boolean"}}},"serviceAccountToken":{"type":"object","properties":{"audience":{"type":"string"},"expirationSeconds":{"type":"integer"},"path":{"type":"string"}}}}}}}},"quobyte":{"type":"object","properties":{"group":{"type":"string"},"readOnly":{"type":"boolean"},"registry":{"type":"string"},"tenant":{"type":"string"},"user":{"type":"string"},"volume":{"type":"string"}}},"rbd":{"type":"object","properties":{"fsType":{"type":"string"},"image":{"type":"string"},"keyring":{"type":"string"},"monitors":{"type":"array","items":{"type":"string"}},"pool":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}}},"user":{"type":"string"}}},"scaleIO":{"type":"object","properties":{"fsType":{"type":"string"},"gateway":{"type":"string"},"protectionDomain":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}}},"sslEnabled":{"type":"boolean"},"storageMode":{"type":"string"},"storagePool":{"type":"string"},"system":{"type":"string"},"volumeName":{"type":"string"}}},"secret":{"type":"object","properties":{"defaultMode":{"type":"integer"},"items":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"mode":{"type":"integer"},"path":{"type":"string"}}}},"optional":{"type":"boolean"},"secretName":{"type":"string"}}},"storageos":{"type":"object","properties":{"fsType":{"type":"string"},"readOnly":{"type":"boolean"},"secretRef":{"type":"object","properties":{"name":{"type":"string"}}},"volumeName":{"type":"string"},"volumeNamespace":{"type":"string"}}},"vsphereVolume":{"type":"object","properties":{"fsType":{"type":"string"},"storagePolicyID":{"type":"string"},"storagePolicyName":{"type":"string"},"volumePath":{"type":"string"}}}}}}}}}}}},"update":{"description":"Configuration related to Keycloak deployment updates.","type":"object","properties":{"revision":{"description":"When use the Explicit strategy, the revision signals if a rolling update can be used or not.","type":"string"},"scheduling":{"description":"In this section you can configure the update job's scheduling","type":"object","properties":{"affinity":{"type":"object","properties":{"nodeAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"preference":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchFields":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}}}},"weight":{"type":"integer"}}}},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"object","properties":{"nodeSelectorTerms":{"type":"array","items":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchFields":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}}}}}}}}},"podAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"podAffinityTerm":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}},"weight":{"type":"integer"}}}},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}}}}},"podAntiAffinity":{"type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"podAffinityTerm":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}},"weight":{"type":"integer"}}}},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"mismatchLabelKeys":{"type":"array","items":{"type":"string"}},"namespaceSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"namespaces":{"type":"array","items":{"type":"string"}},"topologyKey":{"type":"string"}}}}}}}},"priorityClassName":{"type":"string"},"tolerations":{"type":"array","items":{"type":"object","properties":{"effect":{"type":"string"},"key":{"type":"string"},"operator":{"type":"string"},"tolerationSeconds":{"type":"integer"},"value":{"type":"string"}}}},"topologySpreadConstraints":{"type":"array","items":{"type":"object","properties":{"labelSelector":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"type":"object","properties":{"key":{"type":"string"},"operator":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}},"matchLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"matchLabelKeys":{"type":"array","items":{"type":"string"}},"maxSkew":{"type":"integer"},"minDomains":{"type":"integer"},"nodeAffinityPolicy":{"type":"string"},"nodeTaintsPolicy":{"type":"string"},"topologyKey":{"type":"string"},"whenUnsatisfiable":{"type":"string"}}}}}},"strategy":{"description":"Sets the update strategy to use.","type":"string","enum":["Auto","Explicit","RecreateOnImageChange"]}},"x-kubernetes-validations":[{"message":"The 'revision' field is required when 'Explicit' strategy is used","rule":"self.strategy != 'Explicit' || has(self.revision)"}]}}},"status":{"type":"object","properties":{"conditions":{"type":"array","items":{"type":"object","properties":{"lastTransitionTime":{"type":"string"},"message":{"type":"string"},"observedGeneration":{"type":"integer"},"status":{"type":"string"},"type":{"type":"string"}}}},"instances":{"type":"integer"},"observedGeneration":{"type":"integer"},"selector":{"type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"k8s.keycloak.org","kind":"Keycloak","version":"v2alpha1"}],"title":"org.keycloak.k8s.v2alpha1.Keycloak"},"org.keycloak.k8s.v2alpha1.KeycloakList":{"description":"KeycloakList is a list of Keycloak","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of keycloaks. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/org.keycloak.k8s.v2alpha1.Keycloak"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"k8s.keycloak.org","kind":"KeycloakList","version":"v2alpha1"}],"title":"org.keycloak.k8s.v2alpha1.KeycloakList"},"org.keycloak.k8s.v2alpha1.KeycloakRealmImport":{"type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["keycloakCRName","realm"],"properties":{"keycloakCRName":{"description":"The name of the Keycloak CR to reference, in the same namespace.","type":"string"},"placeholders":{"description":"Optionally set to replace ENV variable placeholders in the realm import.","type":"object","additionalProperties":{"type":"object","properties":{"secret":{"type":"object","properties":{"key":{"type":"string"},"name":{"type":"string"},"optional":{"type":"boolean"}}}}}},"realm":{"description":"The RealmRepresentation to import into Keycloak.","type":"object","properties":{"accessCodeLifespan":{"type":"integer"},"accessCodeLifespanLogin":{"type":"integer"},"accessCodeLifespanUserAction":{"type":"integer"},"accessTokenLifespan":{"type":"integer"},"accessTokenLifespanForImplicitFlow":{"type":"integer"},"accountTheme":{"type":"string"},"actionTokenGeneratedByAdminLifespan":{"type":"integer"},"actionTokenGeneratedByUserLifespan":{"type":"integer"},"adminEventsDetailsEnabled":{"type":"boolean"},"adminEventsEnabled":{"type":"boolean"},"adminPermissionsClient":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"adminUrl":{"type":"string"},"alwaysDisplayInConsole":{"type":"boolean"},"attributes":{"type":"object","additionalProperties":{"type":"string"}},"authenticationFlowBindingOverrides":{"type":"object","additionalProperties":{"type":"string"}},"authorizationServicesEnabled":{"type":"boolean"},"authorizationSettings":{"type":"object","properties":{"allowRemoteResourceManagement":{"type":"boolean"},"authorizationSchema":{"type":"object","properties":{"resourceTypes":{"type":"object","additionalProperties":{"type":"object","properties":{"groupType":{"type":"string"},"scopeAliases":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"scopes":{"type":"array","items":{"type":"string"}},"type":{"type":"string"}}}}}},"clientId":{"type":"string"},"decisionStrategy":{"type":"string","enum":["AFFIRMATIVE","CONSENSUS","UNANIMOUS"]},"id":{"type":"string"},"name":{"type":"string"},"policies":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"string"}},"decisionStrategy":{"type":"string","enum":["AFFIRMATIVE","CONSENSUS","UNANIMOUS"]},"description":{"type":"string"},"id":{"type":"string"},"logic":{"type":"string","enum":["NEGATIVE","POSITIVE"]},"name":{"type":"string"},"owner":{"type":"string"},"policies":{"type":"array","items":{"type":"string"}},"resourceType":{"type":"string"},"resources":{"type":"array","items":{"type":"string"}},"resourcesData":{"type":"array","items":{"type":"object","properties":{"_id":{"type":"string"},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"displayName":{"type":"string"},"icon_uri":{"type":"string"},"name":{"type":"string"},"owner":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"ownerManagedAccess":{"type":"boolean"},"scopes":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}},"type":{"type":"string"},"uris":{"type":"array","items":{"type":"string"}}}}},"scopes":{"type":"array","items":{"type":"string"}},"scopesData":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}},"type":{"type":"string"}}}},"policyEnforcementMode":{"type":"string","enum":["DISABLED","ENFORCING","PERMISSIVE"]},"resources":{"type":"array","items":{"type":"object","properties":{"_id":{"type":"string"},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"displayName":{"type":"string"},"icon_uri":{"type":"string"},"name":{"type":"string"},"owner":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"ownerManagedAccess":{"type":"boolean"},"scopes":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}},"type":{"type":"string"},"uris":{"type":"array","items":{"type":"string"}}}}},"scopes":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}}}},"baseUrl":{"type":"string"},"bearerOnly":{"type":"boolean"},"clientAuthenticatorType":{"type":"string"},"clientId":{"type":"string"},"clientTemplate":{"type":"string"},"consentRequired":{"type":"boolean"},"defaultClientScopes":{"type":"array","items":{"type":"string"}},"defaultRoles":{"type":"array","items":{"type":"string"}},"description":{"type":"string"},"directAccessGrantsEnabled":{"type":"boolean"},"directGrantsOnly":{"type":"boolean"},"enabled":{"type":"boolean"},"frontchannelLogout":{"type":"boolean"},"fullScopeAllowed":{"type":"boolean"},"id":{"type":"string"},"implicitFlowEnabled":{"type":"boolean"},"name":{"type":"string"},"nodeReRegistrationTimeout":{"type":"integer"},"notBefore":{"type":"integer"},"optionalClientScopes":{"type":"array","items":{"type":"string"}},"origin":{"type":"string"},"protocol":{"type":"string"},"protocolMappers":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"string"}},"consentRequired":{"type":"boolean"},"consentText":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"protocol":{"type":"string"},"protocolMapper":{"type":"string"}}}},"publicClient":{"type":"boolean"},"redirectUris":{"type":"array","items":{"type":"string"}},"registeredNodes":{"type":"object","additionalProperties":{"type":"integer"}},"registrationAccessToken":{"type":"string"},"rootUrl":{"type":"string"},"secret":{"type":"string"},"serviceAccountsEnabled":{"type":"boolean"},"standardFlowEnabled":{"type":"boolean"},"surrogateAuthRequired":{"type":"boolean"},"type":{"type":"string"},"useTemplateConfig":{"type":"boolean"},"useTemplateMappers":{"type":"boolean"},"useTemplateScope":{"type":"boolean"},"webOrigins":{"type":"array","items":{"type":"string"}}}},"adminPermissionsEnabled":{"type":"boolean"},"adminTheme":{"type":"string"},"applicationScopeMappings":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"client":{"type":"string"},"clientScope":{"type":"string"},"clientTemplate":{"type":"string"},"roles":{"type":"array","items":{"type":"string"}},"self":{"type":"string"}}}}},"applications":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"adminUrl":{"type":"string"},"alwaysDisplayInConsole":{"type":"boolean"},"attributes":{"type":"object","additionalProperties":{"type":"string"}},"authenticationFlowBindingOverrides":{"type":"object","additionalProperties":{"type":"string"}},"authorizationServicesEnabled":{"type":"boolean"},"authorizationSettings":{"type":"object","properties":{"allowRemoteResourceManagement":{"type":"boolean"},"authorizationSchema":{"type":"object","properties":{"resourceTypes":{"type":"object","additionalProperties":{"type":"object","properties":{"groupType":{"type":"string"},"scopeAliases":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"scopes":{"type":"array","items":{"type":"string"}},"type":{"type":"string"}}}}}},"clientId":{"type":"string"},"decisionStrategy":{"type":"string","enum":["AFFIRMATIVE","CONSENSUS","UNANIMOUS"]},"id":{"type":"string"},"name":{"type":"string"},"policies":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"string"}},"decisionStrategy":{"type":"string","enum":["AFFIRMATIVE","CONSENSUS","UNANIMOUS"]},"description":{"type":"string"},"id":{"type":"string"},"logic":{"type":"string","enum":["NEGATIVE","POSITIVE"]},"name":{"type":"string"},"owner":{"type":"string"},"policies":{"type":"array","items":{"type":"string"}},"resourceType":{"type":"string"},"resources":{"type":"array","items":{"type":"string"}},"resourcesData":{"type":"array","items":{"type":"object","properties":{"_id":{"type":"string"},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"displayName":{"type":"string"},"icon_uri":{"type":"string"},"name":{"type":"string"},"owner":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"ownerManagedAccess":{"type":"boolean"},"scopes":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}},"type":{"type":"string"},"uris":{"type":"array","items":{"type":"string"}}}}},"scopes":{"type":"array","items":{"type":"string"}},"scopesData":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}},"type":{"type":"string"}}}},"policyEnforcementMode":{"type":"string","enum":["DISABLED","ENFORCING","PERMISSIVE"]},"resources":{"type":"array","items":{"type":"object","properties":{"_id":{"type":"string"},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"displayName":{"type":"string"},"icon_uri":{"type":"string"},"name":{"type":"string"},"owner":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"ownerManagedAccess":{"type":"boolean"},"scopes":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}},"type":{"type":"string"},"uris":{"type":"array","items":{"type":"string"}}}}},"scopes":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}}}},"baseUrl":{"type":"string"},"bearerOnly":{"type":"boolean"},"claims":{"type":"object","properties":{"address":{"type":"boolean"},"email":{"type":"boolean"},"gender":{"type":"boolean"},"locale":{"type":"boolean"},"name":{"type":"boolean"},"phone":{"type":"boolean"},"picture":{"type":"boolean"},"profile":{"type":"boolean"},"username":{"type":"boolean"},"website":{"type":"boolean"}}},"clientAuthenticatorType":{"type":"string"},"clientId":{"type":"string"},"clientTemplate":{"type":"string"},"consentRequired":{"type":"boolean"},"defaultClientScopes":{"type":"array","items":{"type":"string"}},"defaultRoles":{"type":"array","items":{"type":"string"}},"description":{"type":"string"},"directAccessGrantsEnabled":{"type":"boolean"},"directGrantsOnly":{"type":"boolean"},"enabled":{"type":"boolean"},"frontchannelLogout":{"type":"boolean"},"fullScopeAllowed":{"type":"boolean"},"id":{"type":"string"},"implicitFlowEnabled":{"type":"boolean"},"name":{"type":"string"},"nodeReRegistrationTimeout":{"type":"integer"},"notBefore":{"type":"integer"},"optionalClientScopes":{"type":"array","items":{"type":"string"}},"origin":{"type":"string"},"protocol":{"type":"string"},"protocolMappers":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"string"}},"consentRequired":{"type":"boolean"},"consentText":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"protocol":{"type":"string"},"protocolMapper":{"type":"string"}}}},"publicClient":{"type":"boolean"},"redirectUris":{"type":"array","items":{"type":"string"}},"registeredNodes":{"type":"object","additionalProperties":{"type":"integer"}},"registrationAccessToken":{"type":"string"},"rootUrl":{"type":"string"},"secret":{"type":"string"},"serviceAccountsEnabled":{"type":"boolean"},"standardFlowEnabled":{"type":"boolean"},"surrogateAuthRequired":{"type":"boolean"},"type":{"type":"string"},"useTemplateConfig":{"type":"boolean"},"useTemplateMappers":{"type":"boolean"},"useTemplateScope":{"type":"boolean"},"webOrigins":{"type":"array","items":{"type":"string"}}}}},"attributes":{"type":"object","additionalProperties":{"type":"string"}},"authenticationFlows":{"type":"array","items":{"type":"object","properties":{"alias":{"type":"string"},"authenticationExecutions":{"type":"array","items":{"type":"object","properties":{"authenticator":{"type":"string"},"authenticatorConfig":{"type":"string"},"authenticatorFlow":{"type":"boolean"},"autheticatorFlow":{"type":"boolean"},"flowAlias":{"type":"string"},"priority":{"type":"integer"},"requirement":{"type":"string"},"userSetupAllowed":{"type":"boolean"}}}},"builtIn":{"type":"boolean"},"description":{"type":"string"},"id":{"type":"string"},"providerId":{"type":"string"},"topLevel":{"type":"boolean"}}}},"authenticatorConfig":{"type":"array","items":{"type":"object","properties":{"alias":{"type":"string"},"config":{"type":"object","additionalProperties":{"type":"string"}},"id":{"type":"string"}}}},"browserFlow":{"type":"string"},"browserSecurityHeaders":{"type":"object","additionalProperties":{"type":"string"}},"bruteForceProtected":{"type":"boolean"},"bruteForceStrategy":{"type":"string","enum":["LINEAR","MULTIPLE"]},"certificate":{"type":"string"},"clientAuthenticationFlow":{"type":"string"},"clientOfflineSessionIdleTimeout":{"type":"integer"},"clientOfflineSessionMaxLifespan":{"type":"integer"},"clientPolicies":{"x-kubernetes-preserve-unknown-fields":true},"clientProfiles":{"x-kubernetes-preserve-unknown-fields":true},"clientScopeMappings":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"client":{"type":"string"},"clientScope":{"type":"string"},"clientTemplate":{"type":"string"},"roles":{"type":"array","items":{"type":"string"}},"self":{"type":"string"}}}}},"clientScopes":{"type":"array","items":{"type":"object","properties":{"attributes":{"type":"object","additionalProperties":{"type":"string"}},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"protocol":{"type":"string"},"protocolMappers":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"string"}},"consentRequired":{"type":"boolean"},"consentText":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"protocol":{"type":"string"},"protocolMapper":{"type":"string"}}}}}}},"clientSessionIdleTimeout":{"type":"integer"},"clientSessionMaxLifespan":{"type":"integer"},"clientTemplates":{"type":"array","items":{"type":"object","properties":{"attributes":{"type":"object","additionalProperties":{"type":"string"}},"bearerOnly":{"type":"boolean"},"consentRequired":{"type":"boolean"},"description":{"type":"string"},"directAccessGrantsEnabled":{"type":"boolean"},"frontchannelLogout":{"type":"boolean"},"fullScopeAllowed":{"type":"boolean"},"id":{"type":"string"},"implicitFlowEnabled":{"type":"boolean"},"name":{"type":"string"},"protocol":{"type":"string"},"protocolMappers":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"string"}},"consentRequired":{"type":"boolean"},"consentText":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"protocol":{"type":"string"},"protocolMapper":{"type":"string"}}}},"publicClient":{"type":"boolean"},"serviceAccountsEnabled":{"type":"boolean"},"standardFlowEnabled":{"type":"boolean"}}}},"clients":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"adminUrl":{"type":"string"},"alwaysDisplayInConsole":{"type":"boolean"},"attributes":{"type":"object","additionalProperties":{"type":"string"}},"authenticationFlowBindingOverrides":{"type":"object","additionalProperties":{"type":"string"}},"authorizationServicesEnabled":{"type":"boolean"},"authorizationSettings":{"type":"object","properties":{"allowRemoteResourceManagement":{"type":"boolean"},"authorizationSchema":{"type":"object","properties":{"resourceTypes":{"type":"object","additionalProperties":{"type":"object","properties":{"groupType":{"type":"string"},"scopeAliases":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"scopes":{"type":"array","items":{"type":"string"}},"type":{"type":"string"}}}}}},"clientId":{"type":"string"},"decisionStrategy":{"type":"string","enum":["AFFIRMATIVE","CONSENSUS","UNANIMOUS"]},"id":{"type":"string"},"name":{"type":"string"},"policies":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"string"}},"decisionStrategy":{"type":"string","enum":["AFFIRMATIVE","CONSENSUS","UNANIMOUS"]},"description":{"type":"string"},"id":{"type":"string"},"logic":{"type":"string","enum":["NEGATIVE","POSITIVE"]},"name":{"type":"string"},"owner":{"type":"string"},"policies":{"type":"array","items":{"type":"string"}},"resourceType":{"type":"string"},"resources":{"type":"array","items":{"type":"string"}},"resourcesData":{"type":"array","items":{"type":"object","properties":{"_id":{"type":"string"},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"displayName":{"type":"string"},"icon_uri":{"type":"string"},"name":{"type":"string"},"owner":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"ownerManagedAccess":{"type":"boolean"},"scopes":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}},"type":{"type":"string"},"uris":{"type":"array","items":{"type":"string"}}}}},"scopes":{"type":"array","items":{"type":"string"}},"scopesData":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}},"type":{"type":"string"}}}},"policyEnforcementMode":{"type":"string","enum":["DISABLED","ENFORCING","PERMISSIVE"]},"resources":{"type":"array","items":{"type":"object","properties":{"_id":{"type":"string"},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"displayName":{"type":"string"},"icon_uri":{"type":"string"},"name":{"type":"string"},"owner":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"ownerManagedAccess":{"type":"boolean"},"scopes":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}},"type":{"type":"string"},"uris":{"type":"array","items":{"type":"string"}}}}},"scopes":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}}}},"baseUrl":{"type":"string"},"bearerOnly":{"type":"boolean"},"clientAuthenticatorType":{"type":"string"},"clientId":{"type":"string"},"clientTemplate":{"type":"string"},"consentRequired":{"type":"boolean"},"defaultClientScopes":{"type":"array","items":{"type":"string"}},"defaultRoles":{"type":"array","items":{"type":"string"}},"description":{"type":"string"},"directAccessGrantsEnabled":{"type":"boolean"},"directGrantsOnly":{"type":"boolean"},"enabled":{"type":"boolean"},"frontchannelLogout":{"type":"boolean"},"fullScopeAllowed":{"type":"boolean"},"id":{"type":"string"},"implicitFlowEnabled":{"type":"boolean"},"name":{"type":"string"},"nodeReRegistrationTimeout":{"type":"integer"},"notBefore":{"type":"integer"},"optionalClientScopes":{"type":"array","items":{"type":"string"}},"origin":{"type":"string"},"protocol":{"type":"string"},"protocolMappers":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"string"}},"consentRequired":{"type":"boolean"},"consentText":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"protocol":{"type":"string"},"protocolMapper":{"type":"string"}}}},"publicClient":{"type":"boolean"},"redirectUris":{"type":"array","items":{"type":"string"}},"registeredNodes":{"type":"object","additionalProperties":{"type":"integer"}},"registrationAccessToken":{"type":"string"},"rootUrl":{"type":"string"},"secret":{"type":"string"},"serviceAccountsEnabled":{"type":"boolean"},"standardFlowEnabled":{"type":"boolean"},"surrogateAuthRequired":{"type":"boolean"},"type":{"type":"string"},"useTemplateConfig":{"type":"boolean"},"useTemplateMappers":{"type":"boolean"},"useTemplateScope":{"type":"boolean"},"webOrigins":{"type":"array","items":{"type":"string"}}}}},"codeSecret":{"type":"string"},"components":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"id":{"type":"string"},"name":{"type":"string"},"providerId":{"type":"string"},"subComponents":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"id":{"type":"string"},"name":{"type":"string"},"providerId":{"type":"string"},"subComponents":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"id":{"type":"string"},"name":{"type":"string"},"providerId":{"type":"string"},"subComponents":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"id":{"type":"string"},"name":{"type":"string"},"providerId":{"type":"string"},"subComponents":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"id":{"type":"string"},"name":{"type":"string"},"providerId":{"type":"string"},"subComponents":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"id":{"type":"string"},"name":{"type":"string"},"providerId":{"type":"string"},"subComponents":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"id":{"type":"string"},"name":{"type":"string"},"providerId":{"type":"string"},"subComponents":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"id":{"type":"string"},"name":{"type":"string"},"providerId":{"type":"string"},"subComponents":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"id":{"type":"string"},"name":{"type":"string"},"providerId":{"type":"string"},"subComponents":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"id":{"type":"string"},"name":{"type":"string"},"providerId":{"type":"string"},"subComponents":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"id":{"type":"string"},"name":{"type":"string"},"providerId":{"type":"string"},"subType":{"type":"string"}}}}},"subType":{"type":"string"}}}}},"subType":{"type":"string"}}}}},"subType":{"type":"string"}}}}},"subType":{"type":"string"}}}}},"subType":{"type":"string"}}}}},"subType":{"type":"string"}}}}},"subType":{"type":"string"}}}}},"subType":{"type":"string"}}}}},"subType":{"type":"string"}}}}},"subType":{"type":"string"}}}}},"defaultDefaultClientScopes":{"type":"array","items":{"type":"string"}},"defaultGroups":{"type":"array","items":{"type":"string"}},"defaultLocale":{"type":"string"},"defaultOptionalClientScopes":{"type":"array","items":{"type":"string"}},"defaultRole":{"type":"object","properties":{"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRole":{"type":"boolean"},"composite":{"type":"boolean"},"composites":{"type":"object","properties":{"application":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"client":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"realm":{"type":"array","items":{"type":"string"}}}},"containerId":{"type":"string"},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"scopeParamRequired":{"type":"boolean"}}},"defaultRoles":{"type":"array","items":{"type":"string"}},"defaultSignatureAlgorithm":{"type":"string"},"directGrantFlow":{"type":"string"},"displayName":{"type":"string"},"displayNameHtml":{"type":"string"},"dockerAuthenticationFlow":{"type":"string"},"duplicateEmailsAllowed":{"type":"boolean"},"editUsernameAllowed":{"type":"boolean"},"emailTheme":{"type":"string"},"enabled":{"type":"boolean"},"enabledEventTypes":{"type":"array","items":{"type":"string"}},"eventsEnabled":{"type":"boolean"},"eventsExpiration":{"type":"integer"},"eventsListeners":{"type":"array","items":{"type":"string"}},"failureFactor":{"type":"integer"},"federatedUsers":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"applicationRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientConsents":{"type":"array","items":{"type":"object","properties":{"clientId":{"type":"string"},"createdDate":{"type":"integer"},"grantedClientScopes":{"type":"array","items":{"type":"string"}},"grantedRealmRoles":{"type":"array","items":{"type":"string"}},"lastUpdatedDate":{"type":"integer"}}}},"clientRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"createdTimestamp":{"type":"integer"},"credentials":{"type":"array","items":{"type":"object","properties":{"algorithm":{"type":"string"},"config":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"counter":{"type":"integer"},"createdDate":{"type":"integer"},"credentialData":{"type":"string"},"device":{"type":"string"},"digits":{"type":"integer"},"federationLink":{"type":"string"},"hashIterations":{"type":"integer"},"hashedSaltedValue":{"type":"string"},"id":{"type":"string"},"period":{"type":"integer"},"priority":{"type":"integer"},"salt":{"type":"string"},"secretData":{"type":"string"},"temporary":{"type":"boolean"},"type":{"type":"string"},"userLabel":{"type":"string"},"value":{"type":"string"}}}},"disableableCredentialTypes":{"type":"array","items":{"type":"string"}},"email":{"type":"string"},"emailVerified":{"type":"boolean"},"enabled":{"type":"boolean"},"federatedIdentities":{"type":"array","items":{"type":"object","properties":{"identityProvider":{"type":"string"},"userId":{"type":"string"},"userName":{"type":"string"}}}},"federationLink":{"type":"string"},"firstName":{"type":"string"},"groups":{"type":"array","items":{"type":"string"}},"id":{"type":"string"},"lastName":{"type":"string"},"notBefore":{"type":"integer"},"origin":{"type":"string"},"realmRoles":{"type":"array","items":{"type":"string"}},"requiredActions":{"type":"array","items":{"type":"string"}},"self":{"type":"string"},"serviceAccountClientId":{"type":"string"},"socialLinks":{"type":"array","items":{"type":"object","properties":{"socialProvider":{"type":"string"},"socialUserId":{"type":"string"},"socialUsername":{"type":"string"}}}},"totp":{"type":"boolean"},"userProfileMetadata":{"type":"object","properties":{"attributes":{"type":"array","items":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"object"}},"defaultValue":{"type":"string"},"displayName":{"type":"string"},"group":{"type":"string"},"multivalued":{"type":"boolean"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"required":{"type":"boolean"},"validators":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"object"}}}}}},"groups":{"type":"array","items":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"object"}},"displayDescription":{"type":"string"},"displayHeader":{"type":"string"},"name":{"type":"string"}}}}}},"username":{"type":"string"}}}},"firstBrokerLoginFlow":{"type":"string"},"groups":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"parentId":{"type":"string"},"path":{"type":"string"},"realmRoles":{"type":"array","items":{"type":"string"}},"subGroupCount":{"type":"integer"},"subGroups":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"parentId":{"type":"string"},"path":{"type":"string"},"realmRoles":{"type":"array","items":{"type":"string"}},"subGroupCount":{"type":"integer"},"subGroups":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"parentId":{"type":"string"},"path":{"type":"string"},"realmRoles":{"type":"array","items":{"type":"string"}},"subGroupCount":{"type":"integer"},"subGroups":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"parentId":{"type":"string"},"path":{"type":"string"},"realmRoles":{"type":"array","items":{"type":"string"}},"subGroupCount":{"type":"integer"},"subGroups":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"parentId":{"type":"string"},"path":{"type":"string"},"realmRoles":{"type":"array","items":{"type":"string"}},"subGroupCount":{"type":"integer"},"subGroups":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"parentId":{"type":"string"},"path":{"type":"string"},"realmRoles":{"type":"array","items":{"type":"string"}},"subGroupCount":{"type":"integer"},"subGroups":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"parentId":{"type":"string"},"path":{"type":"string"},"realmRoles":{"type":"array","items":{"type":"string"}},"subGroupCount":{"type":"integer"},"subGroups":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"parentId":{"type":"string"},"path":{"type":"string"},"realmRoles":{"type":"array","items":{"type":"string"}},"subGroupCount":{"type":"integer"},"subGroups":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"parentId":{"type":"string"},"path":{"type":"string"},"realmRoles":{"type":"array","items":{"type":"string"}},"subGroupCount":{"type":"integer"},"subGroups":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"parentId":{"type":"string"},"path":{"type":"string"},"realmRoles":{"type":"array","items":{"type":"string"}},"subGroupCount":{"type":"integer"},"subGroups":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"parentId":{"type":"string"},"path":{"type":"string"},"realmRoles":{"type":"array","items":{"type":"string"}},"subGroupCount":{"type":"integer"}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}},"id":{"type":"string"},"identityProviderMappers":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"string"}},"id":{"type":"string"},"identityProviderAlias":{"type":"string"},"identityProviderMapper":{"type":"string"},"name":{"type":"string"}}}},"identityProviders":{"type":"array","items":{"type":"object","properties":{"addReadTokenRoleOnCreate":{"type":"boolean"},"alias":{"type":"string"},"authenticateByDefault":{"type":"boolean"},"config":{"type":"object","additionalProperties":{"type":"string"}},"displayName":{"type":"string"},"enabled":{"type":"boolean"},"firstBrokerLoginFlowAlias":{"type":"string"},"hideOnLogin":{"type":"boolean"},"internalId":{"type":"string"},"linkOnly":{"type":"boolean"},"organizationId":{"type":"string"},"postBrokerLoginFlowAlias":{"type":"string"},"providerId":{"type":"string"},"storeToken":{"type":"boolean"},"trustEmail":{"type":"boolean"},"updateProfileFirstLoginMode":{"type":"string"}}}},"internationalizationEnabled":{"type":"boolean"},"keycloakVersion":{"type":"string"},"localizationTexts":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"string"}}},"loginTheme":{"type":"string"},"loginWithEmailAllowed":{"type":"boolean"},"maxDeltaTimeSeconds":{"type":"integer"},"maxFailureWaitSeconds":{"type":"integer"},"maxTemporaryLockouts":{"type":"integer"},"minimumQuickLoginWaitSeconds":{"type":"integer"},"notBefore":{"type":"integer"},"oauth2DeviceCodeLifespan":{"type":"integer"},"oauth2DevicePollingInterval":{"type":"integer"},"oauthClients":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"adminUrl":{"type":"string"},"alwaysDisplayInConsole":{"type":"boolean"},"attributes":{"type":"object","additionalProperties":{"type":"string"}},"authenticationFlowBindingOverrides":{"type":"object","additionalProperties":{"type":"string"}},"authorizationServicesEnabled":{"type":"boolean"},"authorizationSettings":{"type":"object","properties":{"allowRemoteResourceManagement":{"type":"boolean"},"authorizationSchema":{"type":"object","properties":{"resourceTypes":{"type":"object","additionalProperties":{"type":"object","properties":{"groupType":{"type":"string"},"scopeAliases":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"scopes":{"type":"array","items":{"type":"string"}},"type":{"type":"string"}}}}}},"clientId":{"type":"string"},"decisionStrategy":{"type":"string","enum":["AFFIRMATIVE","CONSENSUS","UNANIMOUS"]},"id":{"type":"string"},"name":{"type":"string"},"policies":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"string"}},"decisionStrategy":{"type":"string","enum":["AFFIRMATIVE","CONSENSUS","UNANIMOUS"]},"description":{"type":"string"},"id":{"type":"string"},"logic":{"type":"string","enum":["NEGATIVE","POSITIVE"]},"name":{"type":"string"},"owner":{"type":"string"},"policies":{"type":"array","items":{"type":"string"}},"resourceType":{"type":"string"},"resources":{"type":"array","items":{"type":"string"}},"resourcesData":{"type":"array","items":{"type":"object","properties":{"_id":{"type":"string"},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"displayName":{"type":"string"},"icon_uri":{"type":"string"},"name":{"type":"string"},"owner":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"ownerManagedAccess":{"type":"boolean"},"scopes":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}},"type":{"type":"string"},"uris":{"type":"array","items":{"type":"string"}}}}},"scopes":{"type":"array","items":{"type":"string"}},"scopesData":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}},"type":{"type":"string"}}}},"policyEnforcementMode":{"type":"string","enum":["DISABLED","ENFORCING","PERMISSIVE"]},"resources":{"type":"array","items":{"type":"object","properties":{"_id":{"type":"string"},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"displayName":{"type":"string"},"icon_uri":{"type":"string"},"name":{"type":"string"},"owner":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"ownerManagedAccess":{"type":"boolean"},"scopes":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}},"type":{"type":"string"},"uris":{"type":"array","items":{"type":"string"}}}}},"scopes":{"type":"array","items":{"type":"object","properties":{"displayName":{"type":"string"},"iconUri":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}}}},"baseUrl":{"type":"string"},"bearerOnly":{"type":"boolean"},"claims":{"type":"object","properties":{"address":{"type":"boolean"},"email":{"type":"boolean"},"gender":{"type":"boolean"},"locale":{"type":"boolean"},"name":{"type":"boolean"},"phone":{"type":"boolean"},"picture":{"type":"boolean"},"profile":{"type":"boolean"},"username":{"type":"boolean"},"website":{"type":"boolean"}}},"clientAuthenticatorType":{"type":"string"},"clientId":{"type":"string"},"clientTemplate":{"type":"string"},"consentRequired":{"type":"boolean"},"defaultClientScopes":{"type":"array","items":{"type":"string"}},"defaultRoles":{"type":"array","items":{"type":"string"}},"description":{"type":"string"},"directAccessGrantsEnabled":{"type":"boolean"},"directGrantsOnly":{"type":"boolean"},"enabled":{"type":"boolean"},"frontchannelLogout":{"type":"boolean"},"fullScopeAllowed":{"type":"boolean"},"id":{"type":"string"},"implicitFlowEnabled":{"type":"boolean"},"name":{"type":"string"},"nodeReRegistrationTimeout":{"type":"integer"},"notBefore":{"type":"integer"},"optionalClientScopes":{"type":"array","items":{"type":"string"}},"origin":{"type":"string"},"protocol":{"type":"string"},"protocolMappers":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"string"}},"consentRequired":{"type":"boolean"},"consentText":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"protocol":{"type":"string"},"protocolMapper":{"type":"string"}}}},"publicClient":{"type":"boolean"},"redirectUris":{"type":"array","items":{"type":"string"}},"registeredNodes":{"type":"object","additionalProperties":{"type":"integer"}},"registrationAccessToken":{"type":"string"},"rootUrl":{"type":"string"},"secret":{"type":"string"},"serviceAccountsEnabled":{"type":"boolean"},"standardFlowEnabled":{"type":"boolean"},"surrogateAuthRequired":{"type":"boolean"},"type":{"type":"string"},"useTemplateConfig":{"type":"boolean"},"useTemplateMappers":{"type":"boolean"},"useTemplateScope":{"type":"boolean"},"webOrigins":{"type":"array","items":{"type":"string"}}}}},"offlineSessionIdleTimeout":{"type":"integer"},"offlineSessionMaxLifespan":{"type":"integer"},"offlineSessionMaxLifespanEnabled":{"type":"boolean"},"organizations":{"type":"array","items":{"type":"object","properties":{"alias":{"type":"string"},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"description":{"type":"string"},"domains":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"verified":{"type":"boolean"}}}},"enabled":{"type":"boolean"},"id":{"type":"string"},"identityProviders":{"type":"array","items":{"type":"object","properties":{"addReadTokenRoleOnCreate":{"type":"boolean"},"alias":{"type":"string"},"authenticateByDefault":{"type":"boolean"},"config":{"type":"object","additionalProperties":{"type":"string"}},"displayName":{"type":"string"},"enabled":{"type":"boolean"},"firstBrokerLoginFlowAlias":{"type":"string"},"hideOnLogin":{"type":"boolean"},"internalId":{"type":"string"},"linkOnly":{"type":"boolean"},"organizationId":{"type":"string"},"postBrokerLoginFlowAlias":{"type":"string"},"providerId":{"type":"string"},"storeToken":{"type":"boolean"},"trustEmail":{"type":"boolean"},"updateProfileFirstLoginMode":{"type":"string"}}}},"members":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"applicationRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientConsents":{"type":"array","items":{"type":"object","properties":{"clientId":{"type":"string"},"createdDate":{"type":"integer"},"grantedClientScopes":{"type":"array","items":{"type":"string"}},"grantedRealmRoles":{"type":"array","items":{"type":"string"}},"lastUpdatedDate":{"type":"integer"}}}},"clientRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"createdTimestamp":{"type":"integer"},"credentials":{"type":"array","items":{"type":"object","properties":{"algorithm":{"type":"string"},"config":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"counter":{"type":"integer"},"createdDate":{"type":"integer"},"credentialData":{"type":"string"},"device":{"type":"string"},"digits":{"type":"integer"},"federationLink":{"type":"string"},"hashIterations":{"type":"integer"},"hashedSaltedValue":{"type":"string"},"id":{"type":"string"},"period":{"type":"integer"},"priority":{"type":"integer"},"salt":{"type":"string"},"secretData":{"type":"string"},"temporary":{"type":"boolean"},"type":{"type":"string"},"userLabel":{"type":"string"},"value":{"type":"string"}}}},"disableableCredentialTypes":{"type":"array","items":{"type":"string"}},"email":{"type":"string"},"emailVerified":{"type":"boolean"},"enabled":{"type":"boolean"},"federatedIdentities":{"type":"array","items":{"type":"object","properties":{"identityProvider":{"type":"string"},"userId":{"type":"string"},"userName":{"type":"string"}}}},"federationLink":{"type":"string"},"firstName":{"type":"string"},"groups":{"type":"array","items":{"type":"string"}},"id":{"type":"string"},"lastName":{"type":"string"},"membershipType":{"type":"string","enum":["MANAGED","UNMANAGED"]},"notBefore":{"type":"integer"},"origin":{"type":"string"},"realmRoles":{"type":"array","items":{"type":"string"}},"requiredActions":{"type":"array","items":{"type":"string"}},"self":{"type":"string"},"serviceAccountClientId":{"type":"string"},"socialLinks":{"type":"array","items":{"type":"object","properties":{"socialProvider":{"type":"string"},"socialUserId":{"type":"string"},"socialUsername":{"type":"string"}}}},"totp":{"type":"boolean"},"userProfileMetadata":{"type":"object","properties":{"attributes":{"type":"array","items":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"object"}},"defaultValue":{"type":"string"},"displayName":{"type":"string"},"group":{"type":"string"},"multivalued":{"type":"boolean"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"required":{"type":"boolean"},"validators":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"object"}}}}}},"groups":{"type":"array","items":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"object"}},"displayDescription":{"type":"string"},"displayHeader":{"type":"string"},"name":{"type":"string"}}}}}},"username":{"type":"string"}}}},"name":{"type":"string"},"redirectUrl":{"type":"string"}}}},"organizationsEnabled":{"type":"boolean"},"otpPolicyAlgorithm":{"type":"string"},"otpPolicyCodeReusable":{"type":"boolean"},"otpPolicyDigits":{"type":"integer"},"otpPolicyInitialCounter":{"type":"integer"},"otpPolicyLookAheadWindow":{"type":"integer"},"otpPolicyPeriod":{"type":"integer"},"otpPolicyType":{"type":"string"},"otpSupportedApplications":{"type":"array","items":{"type":"string"}},"passwordCredentialGrantAllowed":{"type":"boolean"},"passwordPolicy":{"type":"string"},"permanentLockout":{"type":"boolean"},"privateKey":{"type":"string"},"protocolMappers":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"string"}},"consentRequired":{"type":"boolean"},"consentText":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"protocol":{"type":"string"},"protocolMapper":{"type":"string"}}}},"publicKey":{"type":"string"},"quickLoginCheckMilliSeconds":{"type":"integer"},"realm":{"type":"string"},"refreshTokenMaxReuse":{"type":"integer"},"registrationAllowed":{"type":"boolean"},"registrationEmailAsUsername":{"type":"boolean"},"registrationFlow":{"type":"string"},"rememberMe":{"type":"boolean"},"requiredActions":{"type":"array","items":{"type":"object","properties":{"alias":{"type":"string"},"config":{"type":"object","additionalProperties":{"type":"string"}},"defaultAction":{"type":"boolean"},"enabled":{"type":"boolean"},"name":{"type":"string"},"priority":{"type":"integer"},"providerId":{"type":"string"}}}},"requiredCredentials":{"type":"array","items":{"type":"string"}},"resetCredentialsFlow":{"type":"string"},"resetPasswordAllowed":{"type":"boolean"},"revokeRefreshToken":{"type":"boolean"},"roles":{"type":"object","properties":{"application":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRole":{"type":"boolean"},"composite":{"type":"boolean"},"composites":{"type":"object","properties":{"application":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"client":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"realm":{"type":"array","items":{"type":"string"}}}},"containerId":{"type":"string"},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"scopeParamRequired":{"type":"boolean"}}}}},"client":{"type":"object","additionalProperties":{"type":"array","items":{"type":"object","properties":{"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRole":{"type":"boolean"},"composite":{"type":"boolean"},"composites":{"type":"object","properties":{"application":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"client":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"realm":{"type":"array","items":{"type":"string"}}}},"containerId":{"type":"string"},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"scopeParamRequired":{"type":"boolean"}}}}},"realm":{"type":"array","items":{"type":"object","properties":{"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientRole":{"type":"boolean"},"composite":{"type":"boolean"},"composites":{"type":"object","properties":{"application":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"client":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"realm":{"type":"array","items":{"type":"string"}}}},"containerId":{"type":"string"},"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"scopeParamRequired":{"type":"boolean"}}}}}},"scopeMappings":{"type":"array","items":{"type":"object","properties":{"client":{"type":"string"},"clientScope":{"type":"string"},"clientTemplate":{"type":"string"},"roles":{"type":"array","items":{"type":"string"}},"self":{"type":"string"}}}},"smtpServer":{"type":"object","additionalProperties":{"type":"string"}},"social":{"type":"boolean"},"socialProviders":{"type":"object","additionalProperties":{"type":"string"}},"sslRequired":{"type":"string"},"ssoSessionIdleTimeout":{"type":"integer"},"ssoSessionIdleTimeoutRememberMe":{"type":"integer"},"ssoSessionMaxLifespan":{"type":"integer"},"ssoSessionMaxLifespanRememberMe":{"type":"integer"},"supportedLocales":{"type":"array","items":{"type":"string"}},"updateProfileOnInitialSocialLogin":{"type":"boolean"},"userFederationMappers":{"type":"array","items":{"type":"object","properties":{"config":{"type":"object","additionalProperties":{"type":"string"}},"federationMapperType":{"type":"string"},"federationProviderDisplayName":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}}},"userFederationProviders":{"type":"array","items":{"type":"object","properties":{"changedSyncPeriod":{"type":"integer"},"config":{"type":"object","additionalProperties":{"type":"string"}},"displayName":{"type":"string"},"fullSyncPeriod":{"type":"integer"},"id":{"type":"string"},"lastSync":{"type":"integer"},"priority":{"type":"integer"},"providerName":{"type":"string"}}}},"userManagedAccessAllowed":{"type":"boolean"},"users":{"type":"array","items":{"type":"object","properties":{"access":{"type":"object","additionalProperties":{"type":"boolean"}},"applicationRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"attributes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"clientConsents":{"type":"array","items":{"type":"object","properties":{"clientId":{"type":"string"},"createdDate":{"type":"integer"},"grantedClientScopes":{"type":"array","items":{"type":"string"}},"grantedRealmRoles":{"type":"array","items":{"type":"string"}},"lastUpdatedDate":{"type":"integer"}}}},"clientRoles":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"createdTimestamp":{"type":"integer"},"credentials":{"type":"array","items":{"type":"object","properties":{"algorithm":{"type":"string"},"config":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"counter":{"type":"integer"},"createdDate":{"type":"integer"},"credentialData":{"type":"string"},"device":{"type":"string"},"digits":{"type":"integer"},"federationLink":{"type":"string"},"hashIterations":{"type":"integer"},"hashedSaltedValue":{"type":"string"},"id":{"type":"string"},"period":{"type":"integer"},"priority":{"type":"integer"},"salt":{"type":"string"},"secretData":{"type":"string"},"temporary":{"type":"boolean"},"type":{"type":"string"},"userLabel":{"type":"string"},"value":{"type":"string"}}}},"disableableCredentialTypes":{"type":"array","items":{"type":"string"}},"email":{"type":"string"},"emailVerified":{"type":"boolean"},"enabled":{"type":"boolean"},"federatedIdentities":{"type":"array","items":{"type":"object","properties":{"identityProvider":{"type":"string"},"userId":{"type":"string"},"userName":{"type":"string"}}}},"federationLink":{"type":"string"},"firstName":{"type":"string"},"groups":{"type":"array","items":{"type":"string"}},"id":{"type":"string"},"lastName":{"type":"string"},"notBefore":{"type":"integer"},"origin":{"type":"string"},"realmRoles":{"type":"array","items":{"type":"string"}},"requiredActions":{"type":"array","items":{"type":"string"}},"self":{"type":"string"},"serviceAccountClientId":{"type":"string"},"socialLinks":{"type":"array","items":{"type":"object","properties":{"socialProvider":{"type":"string"},"socialUserId":{"type":"string"},"socialUsername":{"type":"string"}}}},"totp":{"type":"boolean"},"userProfileMetadata":{"type":"object","properties":{"attributes":{"type":"array","items":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"object"}},"defaultValue":{"type":"string"},"displayName":{"type":"string"},"group":{"type":"string"},"multivalued":{"type":"boolean"},"name":{"type":"string"},"readOnly":{"type":"boolean"},"required":{"type":"boolean"},"validators":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"object"}}}}}},"groups":{"type":"array","items":{"type":"object","properties":{"annotations":{"type":"object","additionalProperties":{"type":"object"}},"displayDescription":{"type":"string"},"displayHeader":{"type":"string"},"name":{"type":"string"}}}}}},"username":{"type":"string"}}}},"verifiableCredentialsEnabled":{"type":"boolean"},"verifyEmail":{"type":"boolean"},"waitIncrementSeconds":{"type":"integer"},"webAuthnPolicyAcceptableAaguids":{"type":"array","items":{"type":"string"}},"webAuthnPolicyAttestationConveyancePreference":{"type":"string"},"webAuthnPolicyAuthenticatorAttachment":{"type":"string"},"webAuthnPolicyAvoidSameAuthenticatorRegister":{"type":"boolean"},"webAuthnPolicyCreateTimeout":{"type":"integer"},"webAuthnPolicyExtraOrigins":{"type":"array","items":{"type":"string"}},"webAuthnPolicyPasswordlessAcceptableAaguids":{"type":"array","items":{"type":"string"}},"webAuthnPolicyPasswordlessAttestationConveyancePreference":{"type":"string"},"webAuthnPolicyPasswordlessAuthenticatorAttachment":{"type":"string"},"webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister":{"type":"boolean"},"webAuthnPolicyPasswordlessCreateTimeout":{"type":"integer"},"webAuthnPolicyPasswordlessExtraOrigins":{"type":"array","items":{"type":"string"}},"webAuthnPolicyPasswordlessPasskeysEnabled":{"type":"boolean"},"webAuthnPolicyPasswordlessRequireResidentKey":{"type":"string"},"webAuthnPolicyPasswordlessRpEntityName":{"type":"string"},"webAuthnPolicyPasswordlessRpId":{"type":"string"},"webAuthnPolicyPasswordlessSignatureAlgorithms":{"type":"array","items":{"type":"string"}},"webAuthnPolicyPasswordlessUserVerificationRequirement":{"type":"string"},"webAuthnPolicyRequireResidentKey":{"type":"string"},"webAuthnPolicyRpEntityName":{"type":"string"},"webAuthnPolicyRpId":{"type":"string"},"webAuthnPolicySignatureAlgorithms":{"type":"array","items":{"type":"string"}},"webAuthnPolicyUserVerificationRequirement":{"type":"string"}}},"resources":{"description":"Compute Resources required by Keycloak container. If not specified, the value is inherited from the Keycloak CR.","type":"object","properties":{"claims":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"request":{"type":"string"}}}},"limits":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}},"requests":{"type":"object","additionalProperties":{"x-kubernetes-int-or-string":true}}}}}},"status":{"type":"object","properties":{"conditions":{"type":"array","items":{"type":"object","properties":{"lastTransitionTime":{"type":"string"},"message":{"type":"string"},"observedGeneration":{"type":"integer"},"status":{"type":"string"},"type":{"type":"string"}}}}}}},"x-kubernetes-group-version-kind":[{"group":"k8s.keycloak.org","kind":"KeycloakRealmImport","version":"v2alpha1"}],"title":"org.keycloak.k8s.v2alpha1.KeycloakRealmImport"},"org.keycloak.k8s.v2alpha1.KeycloakRealmImportList":{"description":"KeycloakRealmImportList is a list of KeycloakRealmImport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of keycloakrealmimports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/org.keycloak.k8s.v2alpha1.KeycloakRealmImport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"k8s.keycloak.org","kind":"KeycloakRealmImportList","version":"v2alpha1"}],"title":"org.keycloak.k8s.v2alpha1.KeycloakRealmImportList"},"rocks.kinda.v1alpha1.Database":{"description":"Database is the Schema for the databases API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DatabaseSpec defines the desired state of Database","type":"object","required":["backup","deletionProtected","instance","secretName"],"properties":{"backup":{"description":"DatabaseBackup defines the desired state of backup and schedule","type":"object","required":["cron","enable"],"properties":{"cron":{"type":"string"},"enable":{"type":"boolean"}}},"cleanup":{"type":"boolean"},"connectionStringTemplate":{"description":"ConnectionStringTemplate field can be used to pass a custom template for generating a db connection string.\nThese keywords can be used: Protocol, DatabaseHost, DatabasePort, UserName, Password, DatabaseName.\nDefault template looks like this:\n\"{{ .Protocol }}://{{ .UserName }}:{{ .Password }}@{{ .DatabaseHost }}:{{ .DatabasePort }}/{{ .DatabaseName }}\"","type":"string"},"deletionProtected":{"type":"boolean"},"extensions":{"type":"array","items":{"type":"string"}},"instance":{"type":"string"},"postgres":{"description":"Postgres struct should be used to provide resource that only applicable to postgres","type":"object","properties":{"dropPublicSchema":{"description":"If set to true, the public schema will be dropped after the database creation","type":"boolean"},"schemas":{"description":"Specify schemas to be created. The user created by db-operator will have all access on them.","type":"array","items":{"type":"string"}}}},"secretName":{"type":"string"},"secretsTemplates":{"type":"object","additionalProperties":{"type":"string"}}}},"status":{"description":"DatabaseStatus defines the observed state of Database","type":"object","required":["database","instanceRef","phase","status","user"],"properties":{"database":{"type":"string"},"instanceRef":{"description":"DbInstance is the Schema for the dbinstances API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"description":"DbInstanceSpec defines the desired state of DbInstance","type":"object","required":["adminSecretRef","engine"],"properties":{"adminSecretRef":{"description":"NamespacedName is a fork of the kubernetes api type of the same name.\nSadly this is required because CRD structs must have all fields json tagged and the kubernetes type is not tagged.","type":"object","required":["Name","Namespace"],"properties":{"Name":{"type":"string"},"Namespace":{"type":"string"}}},"backup":{"description":"DbInstanceBackup defines name of google bucket to use for storing database dumps for backup when backup is enabled","type":"object","required":["bucket"],"properties":{"bucket":{"type":"string"}}},"engine":{"description":"Important: Run \"make generate\" to regenerate code after modifying this file","type":"string"},"generic":{"description":"GenericInstance is used when instance type is generic\nand describes necessary informations to use instance\ngeneric instance can be any backend, it must be reachable by described address and port","type":"object","required":["host","port"],"properties":{"backupHost":{"description":"BackupHost address will be used for dumping database for backup\nUsually secondary address for primary-secondary setup or cluster lb address\nIf it's not defined, above Host will be used as backup host address.","type":"string"},"host":{"type":"string"},"port":{"type":"integer"},"publicIp":{"type":"string"}}},"google":{"description":"GoogleInstance is used when instance type is Google Cloud SQL\nand describes necessary informations to use google API to create sql instances","type":"object","required":["configmapRef","instance"],"properties":{"apiEndpoint":{"type":"string"},"clientSecretRef":{"description":"NamespacedName is a fork of the kubernetes api type of the same name.\nSadly this is required because CRD structs must have all fields json tagged and the kubernetes type is not tagged.","type":"object","required":["Name","Namespace"],"properties":{"Name":{"type":"string"},"Namespace":{"type":"string"}}},"configmapRef":{"description":"NamespacedName is a fork of the kubernetes api type of the same name.\nSadly this is required because CRD structs must have all fields json tagged and the kubernetes type is not tagged.","type":"object","required":["Name","Namespace"],"properties":{"Name":{"type":"string"},"Namespace":{"type":"string"}}},"instance":{"type":"string"}}},"monitoring":{"description":"DbInstanceMonitoring defines if exporter","type":"object","required":["enabled"],"properties":{"enabled":{"type":"boolean"}}},"sslConnection":{"description":"DbInstanceSSLConnection defines weather connection from db-operator to instance has to be ssl or not","type":"object","required":["enabled","skip-verify"],"properties":{"enabled":{"type":"boolean"},"skip-verify":{"description":"SkipVerity use SSL connection, but don't check against a CA","type":"boolean"}}}}},"status":{"description":"DbInstanceStatus defines the observed state of DbInstance","type":"object","required":["phase","status"],"properties":{"checksums":{"type":"object","additionalProperties":{"type":"string"}},"info":{"type":"object","additionalProperties":{"type":"string"}},"phase":{"description":"Important: Run \"make generate\" to regenerate code after modifying this file","type":"string"},"status":{"type":"boolean"}}}}},"monitorUserSecret":{"type":"string"},"phase":{"description":"Important: Run \"make generate\" to regenerate code after modifying this file\nAdd custom validation using kubebuilder tags: https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html","type":"string"},"proxyStatus":{"description":"DatabaseProxyStatus defines whether proxy for database is enabled or not\nif so, provide information","type":"object","required":["serviceName","sqlPort","status"],"properties":{"serviceName":{"type":"string"},"sqlPort":{"type":"integer","format":"int32"},"status":{"type":"boolean"}}},"status":{"type":"boolean"},"user":{"type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"kinda.rocks","kind":"Database","version":"v1alpha1"}],"title":"rocks.kinda.v1alpha1.Database"},"rocks.kinda.v1alpha1.DatabaseList":{"description":"DatabaseList is a list of Database","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of databases. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/rocks.kinda.v1alpha1.Database"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kinda.rocks","kind":"DatabaseList","version":"v1alpha1"}],"title":"rocks.kinda.v1alpha1.DatabaseList"},"rocks.kinda.v1alpha1.DbInstance":{"description":"DbInstance is the Schema for the dbinstances API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DbInstanceSpec defines the desired state of DbInstance","type":"object","required":["adminSecretRef","engine"],"properties":{"adminSecretRef":{"description":"NamespacedName is a fork of the kubernetes api type of the same name.\nSadly this is required because CRD structs must have all fields json tagged and the kubernetes type is not tagged.","type":"object","required":["Name","Namespace"],"properties":{"Name":{"type":"string"},"Namespace":{"type":"string"}}},"backup":{"description":"DbInstanceBackup defines name of google bucket to use for storing database dumps for backup when backup is enabled","type":"object","required":["bucket"],"properties":{"bucket":{"type":"string"}}},"engine":{"description":"Important: Run \"make generate\" to regenerate code after modifying this file","type":"string"},"generic":{"description":"GenericInstance is used when instance type is generic\nand describes necessary informations to use instance\ngeneric instance can be any backend, it must be reachable by described address and port","type":"object","required":["host","port"],"properties":{"backupHost":{"description":"BackupHost address will be used for dumping database for backup\nUsually secondary address for primary-secondary setup or cluster lb address\nIf it's not defined, above Host will be used as backup host address.","type":"string"},"host":{"type":"string"},"port":{"type":"integer"},"publicIp":{"type":"string"}}},"google":{"description":"GoogleInstance is used when instance type is Google Cloud SQL\nand describes necessary informations to use google API to create sql instances","type":"object","required":["configmapRef","instance"],"properties":{"apiEndpoint":{"type":"string"},"clientSecretRef":{"description":"NamespacedName is a fork of the kubernetes api type of the same name.\nSadly this is required because CRD structs must have all fields json tagged and the kubernetes type is not tagged.","type":"object","required":["Name","Namespace"],"properties":{"Name":{"type":"string"},"Namespace":{"type":"string"}}},"configmapRef":{"description":"NamespacedName is a fork of the kubernetes api type of the same name.\nSadly this is required because CRD structs must have all fields json tagged and the kubernetes type is not tagged.","type":"object","required":["Name","Namespace"],"properties":{"Name":{"type":"string"},"Namespace":{"type":"string"}}},"instance":{"type":"string"}}},"monitoring":{"description":"DbInstanceMonitoring defines if exporter","type":"object","required":["enabled"],"properties":{"enabled":{"type":"boolean"}}},"sslConnection":{"description":"DbInstanceSSLConnection defines weather connection from db-operator to instance has to be ssl or not","type":"object","required":["enabled","skip-verify"],"properties":{"enabled":{"type":"boolean"},"skip-verify":{"description":"SkipVerity use SSL connection, but don't check against a CA","type":"boolean"}}}}},"status":{"description":"DbInstanceStatus defines the observed state of DbInstance","type":"object","required":["phase","status"],"properties":{"checksums":{"type":"object","additionalProperties":{"type":"string"}},"info":{"type":"object","additionalProperties":{"type":"string"}},"phase":{"description":"Important: Run \"make generate\" to regenerate code after modifying this file","type":"string"},"status":{"type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"kinda.rocks","kind":"DbInstance","version":"v1alpha1"}],"title":"rocks.kinda.v1alpha1.DbInstance"},"rocks.kinda.v1alpha1.DbInstanceList":{"description":"DbInstanceList is a list of DbInstance","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbinstances. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/rocks.kinda.v1alpha1.DbInstance"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kinda.rocks","kind":"DbInstanceList","version":"v1alpha1"}],"title":"rocks.kinda.v1alpha1.DbInstanceList"},"rocks.kinda.v1beta1.Database":{"description":"Database is the Schema for the databases API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DatabaseSpec defines the desired state of Database","type":"object","required":["backup","deletionProtected","instance","secretName"],"properties":{"backup":{"description":"DatabaseBackup defines the desired state of backup and schedule","type":"object","required":["cron","enable"],"properties":{"cron":{"type":"string"},"enable":{"type":"boolean"}}},"cleanup":{"type":"boolean"},"credentials":{"description":"Credentials should be used to setup everything relates to k8s secrets and configmaps","type":"object","properties":{"metadata":{"description":"Metadata defines additional metadata that should be applied to\nk8s resources created from credentials configuration.\n\nFor Database and DbUser, this metadata is applied to the Secret\nthat stores generated credentials.","type":"object","properties":{"extraAnnotations":{"description":"ExtraAnnotations will be merged into the annotations of the Secret\ncreated for the credentials. Existing annotations are preserved, and\nkeys from this map will overwrite annotations with the same key on\nthe Secret.","type":"object","additionalProperties":{"type":"string"}},"extraLabels":{"description":"ExtraLabels will be merged into the labels of the Secret created\nfor the credentials. Existing labels are preserved, and keys from\nthis map will overwrite labels with the same key on the Secret.","type":"object","additionalProperties":{"type":"string"}}}},"templates":{"description":"Templates to add custom entries to ConfigMaps and Secrets","type":"array","items":{"description":"Tempaltes to add custom entries to ConfigMaps and Secrets","type":"object","required":["name","secret","template"],"properties":{"name":{"type":"string"},"secret":{"type":"boolean"},"template":{"type":"string"}}}}}},"deletionProtected":{"type":"boolean"},"existingUser":{"description":"If specified, DB Operator will try to use an existing user to assign permissions\nUser will not be removed, when a database is removed, but the permissions added by the\noperator will be cleaned up","type":"string"},"extraGrants":{"type":"array","items":{"type":"object","required":["accessType","user"],"properties":{"accessType":{"type":"string"},"user":{"type":"string"}}}},"instance":{"type":"string"},"postgres":{"description":"Postgres struct should be used to provide resource that only applicable to postgres","type":"object","properties":{"dropPublicSchema":{"description":"If set to true, the public schema will be dropped after the database creation","type":"boolean"},"extensions":{"type":"array","items":{"type":"string"}},"schemas":{"description":"Specify schemas to be created. The user created by db-operator will have all access on them.","type":"array","items":{"type":"string"}},"template":{"description":"Let user create database from template","type":"string"}}},"secretName":{"type":"string"},"secretsTemplates":{"type":"object","additionalProperties":{"type":"string"}}}},"status":{"description":"DatabaseStatus defines the observed state of Database","type":"object","required":["database","engine","status","user"],"properties":{"database":{"type":"string"},"engine":{"type":"string"},"extraGrants":{"type":"array","items":{"type":"object","required":["accessType","user"],"properties":{"accessType":{"type":"string"},"user":{"type":"string"}}}},"monitorUserSecret":{"type":"string"},"operatorVersion":{"type":"string"},"proxyStatus":{"description":"DatabaseProxyStatus defines whether proxy for database is enabled or not\nif so, provide information","type":"object","required":["serviceName","sqlPort","status"],"properties":{"serviceName":{"type":"string"},"sqlPort":{"type":"integer","format":"int32"},"status":{"type":"boolean"}}},"status":{"description":"Important: Run \"make generate\" to regenerate code after modifying this file\nAdd custom validation using kubebuilder tags: https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html","type":"boolean"},"user":{"type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"kinda.rocks","kind":"Database","version":"v1beta1"}],"title":"rocks.kinda.v1beta1.Database"},"rocks.kinda.v1beta1.DatabaseList":{"description":"DatabaseList is a list of Database","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of databases. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/rocks.kinda.v1beta1.Database"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kinda.rocks","kind":"DatabaseList","version":"v1beta1"}],"title":"rocks.kinda.v1beta1.DatabaseList"},"rocks.kinda.v1beta1.DbInstance":{"description":"DbInstance is the Schema for the dbinstances API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DbInstanceSpec defines the desired state of DbInstance","type":"object","required":["adminSecretRef","engine"],"properties":{"adminSecretRef":{"description":"NamespacedName is a fork of the kubernetes api type of the same name.\nSadly this is required because CRD structs must have all fields json tagged and the kubernetes type is not tagged.","type":"object","required":["Name","Namespace"],"properties":{"Name":{"type":"string"},"Namespace":{"type":"string"}}},"allowExtraGrants":{"description":"If set to true, extra grants are enabled on the databases\nmaking it possible to provide access to any user on the database instance","type":"boolean"},"allowedPrivileges":{"description":"A list of privileges that are allowed to be set as Dbuser's extra privileges","type":"array","items":{"type":"string"}},"backup":{"description":"DbInstanceBackup defines name of google bucket to use for storing database dumps for backup when backup is enabled","type":"object","required":["bucket"],"properties":{"bucket":{"type":"string"}}},"engine":{"description":"Important: Run \"make generate\" to regenerate code after modifying this file","type":"string"},"generic":{"description":"GenericInstance is used when instance type is generic\nand describes necessary information to use instance\ngeneric instance can be any backend, it must be reachable by described address and port","type":"object","properties":{"backupHost":{"description":"BackupHost address will be used for dumping database for backup\nUsually secondary address for primary-secondary setup or cluster lb address\nIf it's not defined, above Host will be used as backup host address.","type":"string"},"host":{"type":"string"},"hostFrom":{"type":"object","required":["key","kind","name","namespace"],"properties":{"key":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"port":{"type":"integer"},"portFrom":{"type":"object","required":["key","kind","name","namespace"],"properties":{"key":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}},"publicIp":{"type":"string"},"publicIpFrom":{"type":"object","required":["key","kind","name","namespace"],"properties":{"key":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}}}}},"google":{"description":"GoogleInstance is used when instance type is Google Cloud SQL\nand describes necessary informations to use google API to create sql instances","type":"object","required":["configmapRef","instance"],"properties":{"apiEndpoint":{"type":"string"},"clientSecretRef":{"description":"NamespacedName is a fork of the kubernetes api type of the same name.\nSadly this is required because CRD structs must have all fields json tagged and the kubernetes type is not tagged.","type":"object","required":["Name","Namespace"],"properties":{"Name":{"type":"string"},"Namespace":{"type":"string"}}},"configmapRef":{"description":"NamespacedName is a fork of the kubernetes api type of the same name.\nSadly this is required because CRD structs must have all fields json tagged and the kubernetes type is not tagged.","type":"object","required":["Name","Namespace"],"properties":{"Name":{"type":"string"},"Namespace":{"type":"string"}}},"instance":{"type":"string"}}},"instanceVars":{"description":"InstanceVars can be used by any database/dbuser that are deployed\nto this instance to build templated credentials with some generic values.\nCan be used for example to provide a read only postgres replica url","type":"object","additionalProperties":{"type":"string"}},"monitoring":{"description":"DbInstanceMonitoring defines if exporter","type":"object","required":["enabled"],"properties":{"enabled":{"type":"boolean"}}},"sslConnection":{"description":"DbInstanceSSLConnection defines whether connection from db-operator to instance has to be ssl or not","type":"object","required":["enabled","skip-verify"],"properties":{"enabled":{"type":"boolean"},"skip-verify":{"description":"SkipVerify use SSL connection, but don't check against a CA","type":"boolean"}}}}},"status":{"description":"DbInstanceStatus defines the observed state of DbInstance","type":"object","required":["phase","status"],"properties":{"checksums":{"type":"object","additionalProperties":{"type":"string"}},"info":{"type":"object","additionalProperties":{"type":"string"}},"phase":{"description":"Important: Run \"make generate\" to regenerate code after modifying this file","type":"string"},"status":{"type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"kinda.rocks","kind":"DbInstance","version":"v1beta1"}],"title":"rocks.kinda.v1beta1.DbInstance"},"rocks.kinda.v1beta1.DbInstanceList":{"description":"DbInstanceList is a list of DbInstance","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbinstances. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/rocks.kinda.v1beta1.DbInstance"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kinda.rocks","kind":"DbInstanceList","version":"v1beta1"}],"title":"rocks.kinda.v1beta1.DbInstanceList"},"rocks.kinda.v1beta1.DbUser":{"description":"DbUser is the Schema for the dbusers API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"DbUserSpec defines the desired state of DbUser","type":"object","required":["accessType","databaseRef","secretName"],"properties":{"accessType":{"description":"AccessType that should be given to a user\nCurrently only readOnly and readWrite are supported by the operator","type":"string"},"cleanup":{"type":"boolean"},"credentials":{"description":"Credentials should be used to setup everything relates to k8s secrets and configmaps","type":"object","properties":{"metadata":{"description":"Metadata defines additional metadata that should be applied to\nk8s resources created from credentials configuration.\n\nFor Database and DbUser, this metadata is applied to the Secret\nthat stores generated credentials.","type":"object","properties":{"extraAnnotations":{"description":"ExtraAnnotations will be merged into the annotations of the Secret\ncreated for the credentials. Existing annotations are preserved, and\nkeys from this map will overwrite annotations with the same key on\nthe Secret.","type":"object","additionalProperties":{"type":"string"}},"extraLabels":{"description":"ExtraLabels will be merged into the labels of the Secret created\nfor the credentials. Existing labels are preserved, and keys from\nthis map will overwrite labels with the same key on the Secret.","type":"object","additionalProperties":{"type":"string"}}}},"templates":{"description":"Templates to add custom entries to ConfigMaps and Secrets","type":"array","items":{"description":"Tempaltes to add custom entries to ConfigMaps and Secrets","type":"object","required":["name","secret","template"],"properties":{"name":{"type":"string"},"secret":{"type":"boolean"},"template":{"type":"string"}}}}}},"databaseRef":{"description":"DatabaseRef should contain a name of a Database to create a user there\nDatabase should be in the same namespace with the user","type":"string"},"existingUser":{"description":"If specified, DB Operator will try to use an existing user to assign permissions\nUser will not be removed, when a dbuser is removed, but the permissions added by the\noperator will be cleaned up","type":"string"},"extraPrivileges":{"description":"A list of additional roles that should be added to the user","type":"array","items":{"type":"string"}},"grantToAdmin":{"description":"Should the user be granted to the admin user\nFor example, it should be set to true on Azure instance,\nbecause the admin given by them is not a super user,\nbut should be set to false on AWS, when rds_iam extra\nprivilege is added\nBy default is set to true\nOnly applies to Postgres, doesn't have any effect on Mysql\n      changes it's now set to true. It should be changed in\n      in the next API version","type":"boolean"},"secretName":{"description":"SecretName name that should be used to save user's credentials","type":"string"}}},"status":{"description":"DbUserStatus defines the observed state of DbUser","type":"object","required":["created","database","status"],"properties":{"created":{"description":"It's required to let the operator update users","type":"boolean"},"database":{"type":"string"},"operatorVersion":{"type":"string"},"status":{"type":"boolean"}}}},"x-kubernetes-group-version-kind":[{"group":"kinda.rocks","kind":"DbUser","version":"v1beta1"}],"title":"rocks.kinda.v1beta1.DbUser"},"rocks.kinda.v1beta1.DbUserList":{"description":"DbUserList is a list of DbUser","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of dbusers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/rocks.kinda.v1beta1.DbUser"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kinda.rocks","kind":"DbUserList","version":"v1beta1"}],"title":"rocks.kinda.v1beta1.DbUserList"},"sh.karpenter.v1.NodeClaim":{"description":"NodeClaim is the Schema for the NodeClaims API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"NodeClaimSpec describes the desired state of the NodeClaim","type":"object","required":["nodeClassRef","requirements"],"properties":{"expireAfter":{"description":"ExpireAfter is the duration the controller will wait\nbefore terminating a node, measured from when the node is created. This\nis useful to implement features like eventually consistent node upgrade,\nmemory leak protection, and disruption testing.","type":"string","pattern":"^(([0-9]+(s|m|h))+|Never)$"},"nodeClassRef":{"description":"NodeClassRef is a reference to an object that defines provider specific configuration","type":"object","required":["group","kind","name"],"properties":{"group":{"description":"API version of the referent","type":"string","pattern":"^[^/]*$","x-kubernetes-validations":[{"message":"group may not be empty","rule":"self != ''"}]},"kind":{"description":"Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\"","type":"string","x-kubernetes-validations":[{"message":"kind may not be empty","rule":"self != ''"}]},"name":{"description":"Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names","type":"string","x-kubernetes-validations":[{"message":"name may not be empty","rule":"self != ''"}]}}},"requirements":{"description":"Requirements are layered with GetLabels and applied to every node.","type":"array","maxItems":100,"items":{"description":"A node selector requirement with min values is a selector that contains values, a key, an operator that relates the key and values\nand minValues that represent the requirement to have at least that many values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\\/))?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$","x-kubernetes-validations":[{"message":"label domain \"kubernetes.io\" is restricted","rule":"self in [\"beta.kubernetes.io/instance-type\", \"failure-domain.beta.kubernetes.io/region\", \"beta.kubernetes.io/os\", \"beta.kubernetes.io/arch\", \"failure-domain.beta.kubernetes.io/zone\", \"topology.kubernetes.io/zone\", \"topology.kubernetes.io/region\", \"node.kubernetes.io/instance-type\", \"kubernetes.io/arch\", \"kubernetes.io/os\", \"node.kubernetes.io/windows-build\"] || self.find(\"^([^/]+)\").endsWith(\"node.kubernetes.io\") || self.find(\"^([^/]+)\").endsWith(\"node-restriction.kubernetes.io\") || !self.find(\"^([^/]+)\").endsWith(\"kubernetes.io\") || self in [\"app.kubernetes.io/managed-by\"]"},{"message":"label domain \"k8s.io\" is restricted","rule":"self.find(\"^([^/]+)\").endsWith(\"kops.k8s.io\") || !self.find(\"^([^/]+)\").endsWith(\"k8s.io\")"},{"message":"label domain \"karpenter.sh\" is restricted","rule":"self in [\"karpenter.sh/capacity-type\", \"karpenter.sh/nodepool\"] || !self.find(\"^([^/]+)\").endsWith(\"karpenter.sh\")"},{"message":"label \"kubernetes.io/hostname\" is restricted","rule":"self != \"kubernetes.io/hostname\""},{"message":"label domain \"karpenter.k8s.aws\" is restricted","rule":"self in [\"karpenter.k8s.aws/instance-tenancy\", \"karpenter.k8s.aws/capacity-reservation-type\", \"karpenter.k8s.aws/capacity-reservation-id\", \"karpenter.k8s.aws/ec2nodeclass\", \"karpenter.k8s.aws/instance-encryption-in-transit-supported\", \"karpenter.k8s.aws/instance-category\", \"karpenter.k8s.aws/instance-hypervisor\", \"karpenter.k8s.aws/instance-family\", \"karpenter.k8s.aws/instance-generation\", \"karpenter.k8s.aws/instance-local-nvme\", \"karpenter.k8s.aws/instance-size\", \"karpenter.k8s.aws/instance-cpu\", \"karpenter.k8s.aws/instance-cpu-manufacturer\", \"karpenter.k8s.aws/instance-cpu-sustained-clock-speed-mhz\", \"karpenter.k8s.aws/instance-memory\", \"karpenter.k8s.aws/instance-ebs-bandwidth\", \"karpenter.k8s.aws/instance-network-bandwidth\", \"karpenter.k8s.aws/instance-gpu-name\", \"karpenter.k8s.aws/instance-gpu-manufacturer\", \"karpenter.k8s.aws/instance-gpu-count\", \"karpenter.k8s.aws/instance-gpu-memory\", \"karpenter.k8s.aws/instance-accelerator-name\", \"karpenter.k8s.aws/instance-accelerator-manufacturer\", \"karpenter.k8s.aws/instance-accelerator-count\", \"karpenter.k8s.aws/instance-capability-flex\"] || !self.find(\"^([^/]+)\").endsWith(\"karpenter.k8s.aws\")"},{"message":"label domain \"eks.amazonaws.com\" is restricted","rule":"self in [\"eks.amazonaws.com/instance-tenancy\", \"eks.amazonaws.com/capacity-reservation-type\", \"eks.amazonaws.com/capacity-reservation-id\", \"eks.amazonaws.com/nodeclass\", \"eks.amazonaws.com/compute-type\", \"eks.amazonaws.com/instance-encryption-in-transit-supported\", \"eks.amazonaws.com/instance-category\", \"eks.amazonaws.com/instance-hypervisor\", \"eks.amazonaws.com/instance-family\", \"eks.amazonaws.com/instance-generation\", \"eks.amazonaws.com/instance-local-nvme\", \"eks.amazonaws.com/instance-size\", \"eks.amazonaws.com/instance-cpu\", \"eks.amazonaws.com/instance-cpu-manufacturer\", \"eks.amazonaws.com/instance-cpu-sustained-clock-speed-mhz\", \"eks.amazonaws.com/instance-memory\", \"eks.amazonaws.com/instance-ebs-bandwidth\", \"eks.amazonaws.com/instance-network-bandwidth\", \"eks.amazonaws.com/instance-gpu-name\", \"eks.amazonaws.com/instance-gpu-manufacturer\", \"eks.amazonaws.com/instance-gpu-count\", \"eks.amazonaws.com/instance-gpu-memory\", \"eks.amazonaws.com/instance-accelerator-name\", \"eks.amazonaws.com/instance-accelerator-manufacturer\", \"eks.amazonaws.com/instance-accelerator-count\", \"eks.amazonaws.com/instance-capability-flex\"] || !self.find(\"^([^/]+)\").endsWith(\"eks.amazonaws.com\")"},{"message":"label domain \"sagemaker.amazonaws.com\" is restricted","rule":"self in [\"sagemaker.amazonaws.com/compute-type\", \"karpenter.sagemaker.amazonaws.com/hyperpodnodeclass\"] || !self.find(\"^([^/]+)\").endsWith(\"sagemaker.amazonaws.com\")"}]},"minValues":{"description":"This field is ALPHA and can be dropped or replaced at any time\nMinValues is the minimum number of unique values required to define the flexibility of the specific requirement.","type":"integer","maximum":50,"minimum":1},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, Lt, Gte, and Lte.","type":"string","enum":["Gte","Lte","In","NotIn","Exists","DoesNotExist","Gt","Lt"]},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt, Lt, Gte, or Lte, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","maxLength":63,"pattern":"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-validations":[{"message":"requirements with operator 'In' must have a value defined","rule":"self.all(x, x.operator == 'In' ? x.values.size() != 0 : true)"},{"message":"requirements operator 'Gt', 'Lt', 'Gte', or 'Lte' must have a single positive integer value","rule":"self.all(x, (x.operator == 'Gt' || x.operator == 'Lt' || x.operator == 'Gte' || x.operator == 'Lte') ? (x.values.size() == 1 && int(x.values[0]) >= 0) : true)"},{"message":"requirements with 'minValues' must have at least that many values specified in the 'values' field","rule":"self.all(x, (x.operator == 'In' && has(x.minValues)) ? x.values.size() >= x.minValues : true)"}]},"resources":{"description":"Resources models the resource requirements for the NodeClaim to launch","type":"object","properties":{"requests":{"description":"Requests describes the minimum required resources for the NodeClaim to launch","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}},"startupTaints":{"description":"StartupTaints are taints that are applied to nodes upon startup which are expected to be removed automatically\nwithin a short period of time, typically by a DaemonSet that tolerates the taint. These are commonly used by\ndaemonsets to allow initialization and enforce startup ordering.  StartupTaints are ignored for provisioning\npurposes in that pods are not required to tolerate a StartupTaint in order to have nodes provisioned for them.","type":"array","items":{"description":"The node this Taint is attached to has the \"effect\" on\nany pod that does not tolerate the Taint.","type":"object","required":["effect","key"],"properties":{"effect":{"description":"Required. The effect of the taint on pods\nthat do not tolerate the taint.\nValid effects are NoSchedule, PreferNoSchedule and NoExecute.","type":"string","enum":["NoSchedule","PreferNoSchedule","NoExecute"]},"key":{"description":"Required. The taint key to be applied to a node.","type":"string","minLength":1,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\\/))?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$"},"timeAdded":{"description":"TimeAdded represents the time at which the taint was added.","type":"string","format":"date-time"},"value":{"description":"The taint value corresponding to the taint key.","type":"string","pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\\/))?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$"}}}},"taints":{"description":"Taints will be applied to the NodeClaim's node.","type":"array","items":{"description":"The node this Taint is attached to has the \"effect\" on\nany pod that does not tolerate the Taint.","type":"object","required":["effect","key"],"properties":{"effect":{"description":"Required. The effect of the taint on pods\nthat do not tolerate the taint.\nValid effects are NoSchedule, PreferNoSchedule and NoExecute.","type":"string","enum":["NoSchedule","PreferNoSchedule","NoExecute"]},"key":{"description":"Required. The taint key to be applied to a node.","type":"string","minLength":1,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\\/))?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$"},"timeAdded":{"description":"TimeAdded represents the time at which the taint was added.","type":"string","format":"date-time"},"value":{"description":"The taint value corresponding to the taint key.","type":"string","pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\\/))?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$"}}}},"terminationGracePeriod":{"description":"TerminationGracePeriod is the maximum duration the controller will wait before forcefully deleting the pods on a node, measured from when deletion is first initiated.\n\nWarning: this feature takes precedence over a Pod's terminationGracePeriodSeconds value, and bypasses any blocked PDBs or the karpenter.sh/do-not-disrupt annotation.\n\nThis field is intended to be used by cluster administrators to enforce that nodes can be cycled within a given time period.\nWhen set, drifted nodes will begin draining even if there are pods blocking eviction. Draining will respect PDBs and the do-not-disrupt annotation until the TGP is reached.\n\nKarpenter will preemptively delete pods so their terminationGracePeriodSeconds align with the node's terminationGracePeriod.\nIf a pod would be terminated without being granted its full terminationGracePeriodSeconds prior to the node timeout,\nthat pod will be deleted at T = node timeout - pod terminationGracePeriodSeconds.\n\nThe feature can also be used to allow maximum time limits for long-running jobs which can delay node termination with preStop hooks.\nIf left undefined, the controller will wait indefinitely for pods to be drained.","type":"string","pattern":"^([0-9]+(s|m|h))+$"}},"x-kubernetes-validations":[{"message":"spec is immutable","rule":"self == oldSelf"},{"message":"the sum of expireAfter and terminationGracePeriod may not exceed 21 days","rule":"(self.nodeClassRef.group == 'eks.amazonaws.com' && self.nodeClassRef.kind == 'NodeClass') ? duration(self.expireAfter) + duration(self.terminationGracePeriod) <= duration('504h') : true"},{"message":"expireAfter may not be set to Never","rule":"(self.nodeClassRef.group == 'eks.amazonaws.com' && self.nodeClassRef.kind == 'NodeClass') ? self.expireAfter != 'Never' : true"}]},"status":{"description":"NodeClaimStatus defines the observed state of NodeClaim","type":"object","properties":{"allocatable":{"description":"Allocatable is the estimated allocatable capacity of the node","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"capacity":{"description":"Capacity is the estimated full capacity of the node","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"conditions":{"description":"Conditions contains signals for health and readiness","type":"array","items":{"description":"Condition aliases the upstream type and adds additional helper methods","type":"object","required":["lastTransitionTime","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"pattern":"^([A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?|)$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"imageID":{"description":"ImageID is an identifier for the image that runs on the node","type":"string"},"lastPodEventTime":{"description":"LastPodEventTime is updated with the last time a pod was scheduled\nor removed from the node. A pod going terminal or terminating\nis also considered as removed.","type":"string","format":"date-time"},"nodeName":{"description":"NodeName is the name of the corresponding node object","type":"string"},"providerID":{"description":"ProviderID of the corresponding node object","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"karpenter.sh","kind":"NodeClaim","version":"v1"}],"title":"sh.karpenter.v1.NodeClaim"},"sh.karpenter.v1.NodeClaimList":{"description":"NodeClaimList is a list of NodeClaim","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of nodeclaims. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/sh.karpenter.v1.NodeClaim"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"karpenter.sh","kind":"NodeClaimList","version":"v1"}],"title":"sh.karpenter.v1.NodeClaimList"},"sh.karpenter.v1.NodePool":{"description":"NodePool is the Schema for the NodePools API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"NodePoolSpec is the top level nodepool specification. Nodepools\nlaunch nodes in response to pods that are unschedulable. A single nodepool\nis capable of managing a diverse set of nodes. Node properties are determined\nfrom a combination of nodepool and pod scheduling constraints.","type":"object","required":["template"],"properties":{"disruption":{"description":"Disruption contains the parameters that relate to Karpenter's disruption logic","type":"object","required":["consolidateAfter"],"properties":{"budgets":{"description":"Budgets is a list of Budgets.\nIf there are multiple active budgets, Karpenter uses\nthe most restrictive value. If left undefined,\nthis will default to one budget with a value to 10%.","type":"array","maxItems":50,"items":{"description":"Budget defines when Karpenter will restrict the\nnumber of Node Claims that can be terminating simultaneously.","type":"object","required":["nodes"],"properties":{"duration":{"description":"Duration determines how long a Budget is active since each Schedule hit.\nOnly minutes and hours are accepted, as cron does not work in seconds.\nIf omitted, the budget is always active.\nThis is required if Schedule is set.\nThis regex has an optional 0s at the end since the duration.String() always adds\na 0s at the end.","type":"string","pattern":"^((([0-9]+(h|m))|([0-9]+h[0-9]+m))(0s)?)$"},"nodes":{"description":"Nodes dictates the maximum number of NodeClaims owned by this NodePool\nthat can be terminating at once. This is calculated by counting nodes that\nhave a deletion timestamp set, or are actively being deleted by Karpenter.\nThis field is required when specifying a budget.\nThis cannot be of type intstr.IntOrString since kubebuilder doesn't support pattern\nchecking for int nodes for IntOrString nodes.\nRef: https://github.com/kubernetes-sigs/controller-tools/blob/55efe4be40394a288216dab63156b0a64fb82929/pkg/crd/markers/validation.go#L379-L388","type":"string","pattern":"^((100|[0-9]{1,2})%|[0-9]+)$"},"reasons":{"description":"Reasons is a list of disruption methods that this budget applies to. If Reasons is not set, this budget applies to all methods.\nOtherwise, this will apply to each reason defined.\nallowed reasons are Underutilized, Empty, and Drifted.","type":"array","maxItems":50,"items":{"description":"DisruptionReason defines valid reasons for disruption budgets.","type":"string","enum":["Underutilized","Empty","Drifted","NodeNotHealthy"]}},"schedule":{"description":"Schedule specifies when a budget begins being active, following\nthe upstream cronjob syntax. If omitted, the budget is always active.\nTimezones are not supported.\nThis field is required if Duration is set.","type":"string","pattern":"^(@(annually|yearly|monthly|weekly|daily|midnight|hourly))|((.+)\\s(.+)\\s(.+)\\s(.+)\\s(.+))$"}}},"x-kubernetes-validations":[{"message":"'schedule' must be set with 'duration'","rule":"self.all(x, has(x.schedule) == has(x.duration))"}]},"consolidateAfter":{"description":"ConsolidateAfter is the duration the controller will wait\nbefore attempting to terminate nodes that are underutilized.\nRefer to ConsolidationPolicy for how underutilization is considered.\nWhen replicas is set, ConsolidateAfter is simply ignored","type":"string","pattern":"^(([0-9]+(s|m|h))+|Never)$"},"consolidationPolicy":{"description":"ConsolidationPolicy describes which nodes Karpenter can disrupt through its consolidation\nalgorithm. This policy defaults to \"WhenEmptyOrUnderutilized\" if not specified\nWhen replicas is set, ConsolidationPolicy is simply ignored","type":"string","enum":["WhenEmpty","WhenEmptyOrUnderutilized"]}}},"limits":{"description":"Limits define a set of bounds for provisioning capacity.\nLimits other than limits.nodes is not supported when replicas is set.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}},"replicas":{"description":"Replicas is the desired number of nodes for the NodePool. When specified, the NodePool will\nmaintain this fixed number of replicas rather than scaling based on pod demand.\nWhen replicas is set:\n  - The following fields are ignored:\n      * disruption.consolidationPolicy\n      * disruption.consolidateAfter\n  - Only limits.nodes is supported; other resource limits (e.g., CPU, memory) must not be specified.\n  - Weight is not supported.\nNote: This field is alpha.","type":"integer","format":"int64","minimum":0},"template":{"description":"Template contains the template of possibilities for the provisioning logic to launch a NodeClaim with.\nNodeClaims launched from this NodePool will often be further constrained than the template specifies.","type":"object","required":["spec"],"properties":{"metadata":{"type":"object","properties":{"annotations":{"description":"Annotations is an unstructured key value map stored with a resource that may be\nset by external tools to store and retrieve arbitrary metadata. They are not\nqueryable and should be preserved when modifying objects.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations","type":"object","additionalProperties":{"type":"string"}},"labels":{"description":"Map of string keys and values that can be used to organize and categorize\n(scope and select) objects. May match selectors of replication controllers\nand services.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels","type":"object","maxProperties":100,"additionalProperties":{"type":"string","maxLength":63,"pattern":"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"},"x-kubernetes-validations":[{"message":"label domain \"kubernetes.io\" is restricted","rule":"self.all(x, x in [\"beta.kubernetes.io/instance-type\", \"failure-domain.beta.kubernetes.io/region\",  \"beta.kubernetes.io/os\", \"beta.kubernetes.io/arch\", \"failure-domain.beta.kubernetes.io/zone\", \"topology.kubernetes.io/zone\", \"topology.kubernetes.io/region\", \"kubernetes.io/arch\", \"kubernetes.io/os\", \"node.kubernetes.io/windows-build\"] || x.find(\"^([^/]+)\").endsWith(\"node.kubernetes.io\") || x.find(\"^([^/]+)\").endsWith(\"node-restriction.kubernetes.io\") || !x.find(\"^([^/]+)\").endsWith(\"kubernetes.io\"))"},{"message":"label domain \"k8s.io\" is restricted","rule":"self.all(x, x.find(\"^([^/]+)\").endsWith(\"kops.k8s.io\") || !x.find(\"^([^/]+)\").endsWith(\"k8s.io\"))"},{"message":"label domain \"karpenter.sh\" is restricted","rule":"self.all(x, x in [\"karpenter.sh/capacity-type\", \"karpenter.sh/nodepool\"] || !x.find(\"^([^/]+)\").endsWith(\"karpenter.sh\"))"},{"message":"label \"karpenter.sh/nodepool\" is restricted","rule":"self.all(x, x != \"karpenter.sh/nodepool\")"},{"message":"label \"kubernetes.io/hostname\" is restricted","rule":"self.all(x, x != \"kubernetes.io/hostname\")"},{"message":"label domain \"karpenter.k8s.aws\" is restricted","rule":"self.all(x, x in [\"karpenter.k8s.aws/instance-tenancy\", \"karpenter.k8s.aws/capacity-reservation-type\", \"karpenter.k8s.aws/capacity-reservation-id\", \"karpenter.k8s.aws/ec2nodeclass\", \"karpenter.k8s.aws/instance-encryption-in-transit-supported\", \"karpenter.k8s.aws/instance-category\", \"karpenter.k8s.aws/instance-hypervisor\", \"karpenter.k8s.aws/instance-family\", \"karpenter.k8s.aws/instance-generation\", \"karpenter.k8s.aws/instance-local-nvme\", \"karpenter.k8s.aws/instance-size\", \"karpenter.k8s.aws/instance-cpu\", \"karpenter.k8s.aws/instance-cpu-manufacturer\", \"karpenter.k8s.aws/instance-cpu-sustained-clock-speed-mhz\", \"karpenter.k8s.aws/instance-memory\", \"karpenter.k8s.aws/instance-ebs-bandwidth\", \"karpenter.k8s.aws/instance-network-bandwidth\", \"karpenter.k8s.aws/instance-gpu-name\", \"karpenter.k8s.aws/instance-gpu-manufacturer\", \"karpenter.k8s.aws/instance-gpu-count\", \"karpenter.k8s.aws/instance-gpu-memory\", \"karpenter.k8s.aws/instance-accelerator-name\", \"karpenter.k8s.aws/instance-accelerator-manufacturer\", \"karpenter.k8s.aws/instance-accelerator-count\", \"karpenter.k8s.aws/instance-capability-flex\"] || !x.find(\"^([^/]+)\").endsWith(\"karpenter.k8s.aws\"))"},{"message":"label domain \"eks.amazonaws.com\" is restricted","rule":"self.all(x, x in [\"eks.amazonaws.com/instance-tenancy\", \"eks.amazonaws.com/capacity-reservation-type\", \"eks.amazonaws.com/capacity-reservation-id\", \"eks.amazonaws.com/nodeclass\", \"eks.amazonaws.com/compute-type\", \"eks.amazonaws.com/instance-encryption-in-transit-supported\", \"eks.amazonaws.com/instance-category\", \"eks.amazonaws.com/instance-hypervisor\", \"eks.amazonaws.com/instance-family\", \"eks.amazonaws.com/instance-generation\", \"eks.amazonaws.com/instance-local-nvme\", \"eks.amazonaws.com/instance-size\", \"eks.amazonaws.com/instance-cpu\", \"eks.amazonaws.com/instance-cpu-manufacturer\", \"eks.amazonaws.com/instance-cpu-sustained-clock-speed-mhz\", \"eks.amazonaws.com/instance-memory\", \"eks.amazonaws.com/instance-ebs-bandwidth\", \"eks.amazonaws.com/instance-network-bandwidth\", \"eks.amazonaws.com/instance-gpu-name\", \"eks.amazonaws.com/instance-gpu-manufacturer\", \"eks.amazonaws.com/instance-gpu-count\", \"eks.amazonaws.com/instance-gpu-memory\", \"eks.amazonaws.com/instance-accelerator-name\", \"eks.amazonaws.com/instance-accelerator-manufacturer\", \"eks.amazonaws.com/instance-accelerator-count\", \"eks.amazonaws.com/instance-capability-flex\"] || !x.find(\"^([^/]+)\").endsWith(\"eks.amazonaws.com\"))"},{"message":"label domain \"sagemaker.amazonaws.com\" is restricted","rule":"self.all(x, x in [\"sagemaker.amazonaws.com/compute-type\"] || !x.find(\"^([^/]+)\").endsWith(\"sagemaker.amazonaws.com\"))"}]}}},"spec":{"description":"NodeClaimTemplateSpec describes the desired state of the NodeClaim in the Nodepool\nNodeClaimTemplateSpec is used in the NodePool's NodeClaimTemplate, with the resource requests omitted since\nusers are not able to set resource requests in the NodePool.","type":"object","required":["nodeClassRef","requirements"],"properties":{"expireAfter":{"description":"ExpireAfter is the duration the controller will wait\nbefore terminating a node, measured from when the node is created. This\nis useful to implement features like eventually consistent node upgrade,\nmemory leak protection, and disruption testing.","type":"string","pattern":"^(([0-9]+(s|m|h))+|Never)$"},"nodeClassRef":{"description":"NodeClassRef is a reference to an object that defines provider specific configuration","type":"object","required":["group","kind","name"],"properties":{"group":{"description":"API version of the referent","type":"string","pattern":"^[^/]*$","x-kubernetes-validations":[{"message":"group may not be empty","rule":"self != ''"}]},"kind":{"description":"Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\"","type":"string","x-kubernetes-validations":[{"message":"kind may not be empty","rule":"self != ''"}]},"name":{"description":"Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names","type":"string","x-kubernetes-validations":[{"message":"name may not be empty","rule":"self != ''"}]}},"x-kubernetes-validations":[{"message":"nodeClassRef.group is immutable","rule":"self.group == oldSelf.group"},{"message":"nodeClassRef.kind is immutable","rule":"self.kind == oldSelf.kind"}]},"requirements":{"description":"Requirements are layered with GetLabels and applied to every node.","type":"array","maxItems":100,"items":{"description":"A node selector requirement with min values is a selector that contains values, a key, an operator that relates the key and values\nand minValues that represent the requirement to have at least that many values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\\/))?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$","x-kubernetes-validations":[{"message":"label domain \"kubernetes.io\" is restricted","rule":"self in [\"beta.kubernetes.io/instance-type\", \"failure-domain.beta.kubernetes.io/region\", \"beta.kubernetes.io/os\", \"beta.kubernetes.io/arch\", \"failure-domain.beta.kubernetes.io/zone\", \"topology.kubernetes.io/zone\", \"topology.kubernetes.io/region\", \"node.kubernetes.io/instance-type\", \"kubernetes.io/arch\", \"kubernetes.io/os\", \"node.kubernetes.io/windows-build\"] || self.find(\"^([^/]+)\").endsWith(\"node.kubernetes.io\") || self.find(\"^([^/]+)\").endsWith(\"node-restriction.kubernetes.io\") || !self.find(\"^([^/]+)\").endsWith(\"kubernetes.io\")"},{"message":"label domain \"k8s.io\" is restricted","rule":"self.find(\"^([^/]+)\").endsWith(\"kops.k8s.io\") || !self.find(\"^([^/]+)\").endsWith(\"k8s.io\")"},{"message":"label domain \"karpenter.sh\" is restricted","rule":"self in [\"karpenter.sh/capacity-type\", \"karpenter.sh/nodepool\"] || !self.find(\"^([^/]+)\").endsWith(\"karpenter.sh\")"},{"message":"label \"karpenter.sh/nodepool\" is restricted","rule":"self != \"karpenter.sh/nodepool\""},{"message":"label \"kubernetes.io/hostname\" is restricted","rule":"self != \"kubernetes.io/hostname\""},{"message":"label domain \"karpenter.k8s.aws\" is restricted","rule":"self in [\"karpenter.k8s.aws/instance-tenancy\", \"karpenter.k8s.aws/capacity-reservation-type\", \"karpenter.k8s.aws/capacity-reservation-id\", \"karpenter.k8s.aws/ec2nodeclass\", \"karpenter.k8s.aws/instance-encryption-in-transit-supported\", \"karpenter.k8s.aws/instance-category\", \"karpenter.k8s.aws/instance-hypervisor\", \"karpenter.k8s.aws/instance-family\", \"karpenter.k8s.aws/instance-generation\", \"karpenter.k8s.aws/instance-local-nvme\", \"karpenter.k8s.aws/instance-size\", \"karpenter.k8s.aws/instance-cpu\", \"karpenter.k8s.aws/instance-cpu-manufacturer\", \"karpenter.k8s.aws/instance-cpu-sustained-clock-speed-mhz\", \"karpenter.k8s.aws/instance-memory\", \"karpenter.k8s.aws/instance-ebs-bandwidth\", \"karpenter.k8s.aws/instance-network-bandwidth\", \"karpenter.k8s.aws/instance-gpu-name\", \"karpenter.k8s.aws/instance-gpu-manufacturer\", \"karpenter.k8s.aws/instance-gpu-count\", \"karpenter.k8s.aws/instance-gpu-memory\", \"karpenter.k8s.aws/instance-accelerator-name\", \"karpenter.k8s.aws/instance-accelerator-manufacturer\", \"karpenter.k8s.aws/instance-accelerator-count\", \"karpenter.k8s.aws/instance-capability-flex\"] || !self.find(\"^([^/]+)\").endsWith(\"karpenter.k8s.aws\")"},{"message":"label domain \"eks.amazonaws.com\" is restricted","rule":"self in [\"eks.amazonaws.com/instance-tenancy\", \"eks.amazonaws.com/capacity-reservation-type\", \"eks.amazonaws.com/capacity-reservation-id\", \"eks.amazonaws.com/nodeclass\", \"eks.amazonaws.com/compute-type\", \"eks.amazonaws.com/instance-encryption-in-transit-supported\", \"eks.amazonaws.com/instance-category\", \"eks.amazonaws.com/instance-hypervisor\", \"eks.amazonaws.com/instance-family\", \"eks.amazonaws.com/instance-generation\", \"eks.amazonaws.com/instance-local-nvme\", \"eks.amazonaws.com/instance-size\", \"eks.amazonaws.com/instance-cpu\", \"eks.amazonaws.com/instance-cpu-manufacturer\", \"eks.amazonaws.com/instance-cpu-sustained-clock-speed-mhz\", \"eks.amazonaws.com/instance-memory\", \"eks.amazonaws.com/instance-ebs-bandwidth\", \"eks.amazonaws.com/instance-network-bandwidth\", \"eks.amazonaws.com/instance-gpu-name\", \"eks.amazonaws.com/instance-gpu-manufacturer\", \"eks.amazonaws.com/instance-gpu-count\", \"eks.amazonaws.com/instance-gpu-memory\", \"eks.amazonaws.com/instance-accelerator-name\", \"eks.amazonaws.com/instance-accelerator-manufacturer\", \"eks.amazonaws.com/instance-accelerator-count\", \"eks.amazonaws.com/instance-capability-flex\"] || !self.find(\"^([^/]+)\").endsWith(\"eks.amazonaws.com\")"},{"message":"label domain \"sagemaker.amazonaws.com\" is restricted","rule":"self in [\"sagemaker.amazonaws.com/compute-type\"] || !self.find(\"^([^/]+)\").endsWith(\"sagemaker.amazonaws.com\")"}]},"minValues":{"description":"This field is ALPHA and can be dropped or replaced at any time\nMinValues is the minimum number of unique values required to define the flexibility of the specific requirement.","type":"integer","maximum":50,"minimum":1},"operator":{"description":"Represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists, DoesNotExist. Gt, Lt, Gte, and Lte.","type":"string","enum":["Gte","Lte","In","NotIn","Exists","DoesNotExist","Gt","Lt"]},"values":{"description":"An array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. If the operator is Gt, Lt, Gte, or Lte, the values\narray must have a single element, which will be interpreted as an integer.\nThis array is replaced during a strategic merge patch.","type":"array","maxLength":63,"pattern":"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"x-kubernetes-validations":[{"message":"requirements with operator 'In' must have a value defined","rule":"self.all(x, x.operator == 'In' ? x.values.size() != 0 : true)"},{"message":"requirements operator 'Gt', 'Lt', 'Gte', or 'Lte' must have a single positive integer value","rule":"self.all(x, (x.operator == 'Gt' || x.operator == 'Lt' || x.operator == 'Gte' || x.operator == 'Lte') ? (x.values.size() == 1 && int(x.values[0]) >= 0) : true)"},{"message":"requirements with 'minValues' must have at least that many values specified in the 'values' field","rule":"self.all(x, (x.operator == 'In' && has(x.minValues)) ? x.values.size() >= x.minValues : true)"}]},"startupTaints":{"description":"StartupTaints are taints that are applied to nodes upon startup which are expected to be removed automatically\nwithin a short period of time, typically by a DaemonSet that tolerates the taint. These are commonly used by\ndaemonsets to allow initialization and enforce startup ordering.  StartupTaints are ignored for provisioning\npurposes in that pods are not required to tolerate a StartupTaint in order to have nodes provisioned for them.","type":"array","items":{"description":"The node this Taint is attached to has the \"effect\" on\nany pod that does not tolerate the Taint.","type":"object","required":["effect","key"],"properties":{"effect":{"description":"Required. The effect of the taint on pods\nthat do not tolerate the taint.\nValid effects are NoSchedule, PreferNoSchedule and NoExecute.","type":"string","enum":["NoSchedule","PreferNoSchedule","NoExecute"]},"key":{"description":"Required. The taint key to be applied to a node.","type":"string","minLength":1,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\\/))?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$"},"timeAdded":{"description":"TimeAdded represents the time at which the taint was added.","type":"string","format":"date-time"},"value":{"description":"The taint value corresponding to the taint key.","type":"string","pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\\/))?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$"}}}},"taints":{"description":"Taints will be applied to the NodeClaim's node.","type":"array","items":{"description":"The node this Taint is attached to has the \"effect\" on\nany pod that does not tolerate the Taint.","type":"object","required":["effect","key"],"properties":{"effect":{"description":"Required. The effect of the taint on pods\nthat do not tolerate the taint.\nValid effects are NoSchedule, PreferNoSchedule and NoExecute.","type":"string","enum":["NoSchedule","PreferNoSchedule","NoExecute"]},"key":{"description":"Required. The taint key to be applied to a node.","type":"string","minLength":1,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\\/))?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$"},"timeAdded":{"description":"TimeAdded represents the time at which the taint was added.","type":"string","format":"date-time"},"value":{"description":"The taint value corresponding to the taint key.","type":"string","pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(\\/))?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$"}}}},"terminationGracePeriod":{"description":"TerminationGracePeriod is the maximum duration the controller will wait before forcefully deleting the pods on a node, measured from when deletion is first initiated.\n\nWarning: this feature takes precedence over a Pod's terminationGracePeriodSeconds value, and bypasses any blocked PDBs or the karpenter.sh/do-not-disrupt annotation.\n\nThis field is intended to be used by cluster administrators to enforce that nodes can be cycled within a given time period.\nWhen set, drifted nodes will begin draining even if there are pods blocking eviction. Draining will respect PDBs and the do-not-disrupt annotation until the TGP is reached.\n\nKarpenter will preemptively delete pods so their terminationGracePeriodSeconds align with the node's terminationGracePeriod.\nIf a pod would be terminated without being granted its full terminationGracePeriodSeconds prior to the node timeout,\nthat pod will be deleted at T = node timeout - pod terminationGracePeriodSeconds.\n\nThe feature can also be used to allow maximum time limits for long-running jobs which can delay node termination with preStop hooks.\nIf left undefined, the controller will wait indefinitely for pods to be drained.","type":"string","pattern":"^([0-9]+(s|m|h))+$"}},"x-kubernetes-validations":[{"message":"the sum of expireAfter and terminationGracePeriod may not exceed 21 days","rule":"(self.nodeClassRef.group == 'eks.amazonaws.com' && self.nodeClassRef.kind == 'NodeClass' && has(self.terminationGracePeriod)) ? duration(self.expireAfter) + duration(self.terminationGracePeriod) <= duration('504h') : true"},{"message":"the sum of expireAfter and terminationGracePeriod (defaulted to 24h) may not exceed 21 days","rule":"(self.nodeClassRef.group == 'eks.amazonaws.com' && self.nodeClassRef.kind == 'NodeClass' && !has(self.terminationGracePeriod)) ? duration(self.expireAfter) <= duration('480h') : true"},{"message":"expireAfter may not be set to Never","rule":"(self.nodeClassRef.group == 'eks.amazonaws.com' && self.nodeClassRef.kind == 'NodeClass') ? self.expireAfter != 'Never' : true"}]}}},"weight":{"description":"Weight is the priority given to the nodepool during scheduling. A higher\nnumerical weight indicates that this nodepool will be ordered\nahead of other nodepools with lower weights. A nodepool with no weight\nwill be treated as if it is a nodepool with a weight of 0.\nWeight is not supported when replicas is set.","type":"integer","format":"int32","maximum":100,"minimum":1}},"x-kubernetes-validations":[{"message":"Cannot transition NodePool between static (replicas set) and dynamic (replicas unset) provisioning modes","rule":"has(self.replicas) == has(oldSelf.replicas)"},{"message":"only 'limits.nodes' is supported on static NodePools","rule":"!has(self.replicas) || (!has(self.limits) || size(self.limits) == 0 || (size(self.limits) == 1 && 'nodes' in self.limits))"},{"message":"'weight' is not supported on static NodePools","rule":"!has(self.replicas) || !has(self.weight)"}]},"status":{"description":"NodePoolStatus defines the observed state of NodePool","type":"object","properties":{"conditions":{"description":"Conditions contains signals for health and readiness","type":"array","items":{"description":"Condition aliases the upstream type and adds additional helper methods","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"nodeClassObservedGeneration":{"description":"NodeClassObservedGeneration represents the observed nodeClass generation for referenced nodeClass. If this does not match\nthe actual NodeClass Generation, NodeRegistrationHealthy status condition on the NodePool will be reset","type":"integer","format":"int64"},"nodes":{"description":"Nodes is the count of nodes associated with this NodePool","type":"integer","format":"int64"},"resources":{"description":"Resources is the list of resources that have been provisioned.","type":"object","additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","x-kubernetes-int-or-string":true}}}}},"x-kubernetes-group-version-kind":[{"group":"karpenter.sh","kind":"NodePool","version":"v1"}],"title":"sh.karpenter.v1.NodePool"},"sh.karpenter.v1.NodePoolList":{"description":"NodePoolList is a list of NodePool","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of nodepools. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/sh.karpenter.v1.NodePool"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"karpenter.sh","kind":"NodePoolList","version":"v1"}],"title":"sh.karpenter.v1.NodePoolList"}},"$schema":"https://json-schema.org/draft-07/schema#","$id":"/schemas/external-secrets.io/v1alpha1/SecretStoreList"}